Cobalt Group

Threat Actor updated 23 days ago (2024-11-29T14:42:51.896Z)
Download STIX
Preview STIX
The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus operandi includes bypassing User Account Control (UAC) and gaining unauthorized access to targeted networks, as documented in November last year when they exploited CVE-2017-11882. Their activities often overlap with other groups like FIN6 and Evilnum, making it challenging to identify their exact identity. The Cobalt Group, along with FIN6, is known to use Golden Chickens, a malware-as-a-service (MaaS) offering. This MaaS, also referred to as More_eggs, has been dubbed the "cyber weapon of choice" by these Russia-based cyber gangs. eSentire, a cybersecurity firm, identified the second developer of Golden Chickens as a Romanian man known as VENOM SPIDER. The group has also used Storm-0324 for unauthorized corporate network access, primarily to distribute JSSLoader before handing over the keys to the notorious financial and ransomware actor FIN7. In 2017 and 2018, the Cobalt Group utilized badbullzvenoms' (aka: Lucky) VenomKit to deploy Cobalt Strike in attacks on banks. eSentire noted that this malware suite was later leveraged by FIN6 in 2019, the same year when the suite included the PureLocker ransomware plugin. The second developer of the Golden Chickens malware, which has been used extensively by the Cobalt Group, was unmasked by eSentire to be a Romanian named Jack, also known as Lucky and badbullzvenom.
Description last updated: 2024-05-04T17:53:07.169Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The EVILNUM Malware is associated with Cobalt Group. Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even hoUnspecified
2