COBALT ILLUSION

Threat Actor updated 4 months ago (2024-05-05T02:17:55.510Z)

Download STIX

Preview STIX

Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities against those seen as threats to the Iranian government. Notably, it has targeted researchers documenting the suppression of women and minority groups. Cobalt Illusion frequently employs legitimate but compromised accounts to send phishing lures as part of its operations. The group's main targets are academics, journalists, human rights defenders, political activists, intergovernmental organizations, and non-governmental organizations focusing on Iran. In recent years, the group has demonstrated an increased capability to exploit n-day vulnerabilities, reducing their response time from weeks to days or even hours, according to Microsoft. This uptick in aggression was reported earlier this year, underscoring the escalating threat posed by this nation-state actor. Phishing and bulk data collection remain core tactics of Cobalt Illusion, which often engages in human-focused intelligence gathering, extracting valuable information such as mailbox contents, contact lists, travel plans, relationships, and physical locations. On February 24th, Secureworks' Counter Threat Unit (CTU) investigated a cluster of activity that bore similarities to past Cobalt Illusion actions. The group's activities bear resemblance to other well-known hacking groups like TA453 and Phosphorus, particularly in its phishing attempts designed to deploy a new version of PowerLess. This software has been previously deployed by Phosphorus in operations throughout the Middle East and Africa. As such, Cobalt Illusion continues to present a significant cybersecurity threat with its advanced tactics and rapid exploitation of vulnerabilities.

Description last updated: 2024-05-05T01:39:12.605Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
TA453	3	TA453, also known as Charming Kitten, APT35, APT42, Ballistic Bobcat, Phosphorus, and Ajax Security Team, is a threat actor linked to the Iranian government. This group has been implicated in numerous cyber espionage activities targeting various entities globally. In one notable incident, researcher
Mint Sandstorm	2	Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cyber threat actor. This group is known for its highly skilled operators and sophisticated social engineering techniques, often lacking the typica

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Iran

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the COBALT ILLUSION Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 months ago	Microsoft: Iran's Mint Sandstorm APT Blasts Educators, Researchers
BankInfoSecurity	a year ago	Iranian Hackers Gain Sophistication, Microsoft Warns
BankInfoSecurity	a year ago	Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity	a year ago	Feds Urge Immediately Patching of Zoho and Fortinet Products
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Charming Kitten
InfoSecurity-magazine	a year ago	Tehran Targets Female Activists in Espionage Campaign
CERT-EU	a year ago	Iranian state-sponsored threat group impersonates US Think Tank
DARKReading	a year ago	'Educated Manticore' Targets Israeli Victims in Improved Phishing Attacks