COBALT ILLUSION

Threat Actor updated 7 months ago (2024-05-05T02:17:55.510Z)
Download STIX
Preview STIX
Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities against those seen as threats to the Iranian government. Notably, it has targeted researchers documenting the suppression of women and minority groups. Cobalt Illusion frequently employs legitimate but compromised accounts to send phishing lures as part of its operations. The group's main targets are academics, journalists, human rights defenders, political activists, intergovernmental organizations, and non-governmental organizations focusing on Iran. In recent years, the group has demonstrated an increased capability to exploit n-day vulnerabilities, reducing their response time from weeks to days or even hours, according to Microsoft. This uptick in aggression was reported earlier this year, underscoring the escalating threat posed by this nation-state actor. Phishing and bulk data collection remain core tactics of Cobalt Illusion, which often engages in human-focused intelligence gathering, extracting valuable information such as mailbox contents, contact lists, travel plans, relationships, and physical locations. On February 24th, Secureworks' Counter Threat Unit (CTU) investigated a cluster of activity that bore similarities to past Cobalt Illusion actions. The group's activities bear resemblance to other well-known hacking groups like TA453 and Phosphorus, particularly in its phishing attempts designed to deploy a new version of PowerLess. This software has been previously deployed by Phosphorus in operations throughout the Middle East and Africa. As such, Cobalt Illusion continues to present a significant cybersecurity threat with its advanced tactics and rapid exploitation of vulnerabilities.
Description last updated: 2024-05-05T01:39:12.605Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
TA453 is a possible alias for COBALT ILLUSION. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear
3
Mint Sandstorm is a possible alias for COBALT ILLUSION. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Iran
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the COBALT ILLUSION Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more