COBALT ILLUSION

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities against those seen as threats to the Iranian government. Notably, it has targeted researchers documenting the suppression of women and minority groups. Cobalt Illusion frequently employs legitimate but compromised accounts to send phishing lures as part of its operations. The group's main targets are academics, journalists, human rights defenders, political activists, intergovernmental organizations, and non-governmental organizations focusing on Iran. In recent years, the group has demonstrated an increased capability to exploit n-day vulnerabilities, reducing their response time from weeks to days or even hours, according to Microsoft. This uptick in aggression was reported earlier this year, underscoring the escalating threat posed by this nation-state actor. Phishing and bulk data collection remain core tactics of Cobalt Illusion, which often engages in human-focused intelligence gathering, extracting valuable information such as mailbox contents, contact lists, travel plans, relationships, and physical locations. On February 24th, Secureworks' Counter Threat Unit (CTU) investigated a cluster of activity that bore similarities to past Cobalt Illusion actions. The group's activities bear resemblance to other well-known hacking groups like TA453 and Phosphorus, particularly in its phishing attempts designed to deploy a new version of PowerLess. This software has been previously deployed by Phosphorus in operations throughout the Middle East and Africa. As such, Cobalt Illusion continues to present a significant cybersecurity threat with its advanced tactics and rapid exploitation of vulnerabilities.
What's your take? (Question 1 of 4)
f4a12a7b-f3ec-401c-a8c3-f94652cb0b9b Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TA453
3
TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
Mint Sandstorm
2
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Iran
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the COBALT ILLUSION Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Iranian state-sponsored threat group impersonates US Think Tank
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Charming Kitten
BankInfoSecurity
9 months ago
Feds Urge Immediately Patching of Zoho and Fortinet Products
BankInfoSecurity
9 months ago
Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity
8 months ago
Iranian Hackers Gain Sophistication, Microsoft Warns
InfoSecurity-magazine
a year ago
Tehran Targets Female Activists in Espionage Campaign
DARKReading
a year ago
'Educated Manticore' Targets Israeli Victims in Improved Phishing Attacks
DARKReading
4 months ago
Microsoft: Iran's Mint Sandstorm APT Blasts Educators, Researchers