Cobalt Group

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus operandi includes bypassing User Account Control (UAC) and gaining unauthorized access to targeted networks, as documented in November last year when they exploited CVE-2017-11882. Their activities often overlap with other groups like FIN6 and Evilnum, making it challenging to identify their exact identity. The Cobalt Group, along with FIN6, is known to use Golden Chickens, a malware-as-a-service (MaaS) offering. This MaaS, also referred to as More_eggs, has been dubbed the "cyber weapon of choice" by these Russia-based cyber gangs. eSentire, a cybersecurity firm, identified the second developer of Golden Chickens as a Romanian man known as VENOM SPIDER. The group has also used Storm-0324 for unauthorized corporate network access, primarily to distribute JSSLoader before handing over the keys to the notorious financial and ransomware actor FIN7. In 2017 and 2018, the Cobalt Group utilized badbullzvenoms' (aka: Lucky) VenomKit to deploy Cobalt Strike in attacks on banks. eSentire noted that this malware suite was later leveraged by FIN6 in 2019, the same year when the suite included the PureLocker ransomware plugin. The second developer of the Golden Chickens malware, which has been used extensively by the Cobalt Group, was unmasked by eSentire to be a Romanian named Jack, also known as Lucky and badbullzvenom.
What's your take? (Question 1 of 1)
3f4c67b7-8b57-4392-8402-20ef73e3d77c Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EVILNUMUnspecified
2
Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even ho
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cobalt Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Quick Heal Technologies Ltd.
a year ago
UAC Bypass Using CMSTP
CERT-EU
a year ago
Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
CERT-EU
a year ago
Αποκαλύφθηκε ο προμηθευτής malware των πιο επικίνδυνων Ρώσων κυβερνο-εγκληματιών
CERT-EU
a year ago
Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU
a year ago
High-severity Chrome vulnerabilities addressed
MITRE
a year ago
Cobalt Group 2.0
MITRE
6 months ago
Cobalt Group Gaffe Reveals All Targets in Attack on Financial Institutions
CERT-EU
8 months ago
Microsoft Teams Hacks Are Back, As Storm-0324 Embraces TeamsPhisher
MITRE
6 months ago
First Activities of Cobalt Group in 2018: Spear-phishing Russian Banks
CERT-EU
4 months ago
Cyber threat landscape controlled by leading threat operations
CERT-EU
a year ago
Researchers identify second developer behind Golden Chickens MaaS
CERT-EU
a year ago
Golden Chickens malware developer unmasked
CERT-EU
a year ago
Minnesota VA medical center plagued with IT security gaps
MITRE
a year ago
Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions | Proofpoint US
CERT-EU
6 months ago
Hiring? New scam campaign means ‘resume’ downloads may contain malware