COBALT ILLUSION

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities against those seen as threats to the Iranian government. Notably, it has targeted researchers documenting the suppression of women and minority groups. Cobalt Illusion frequently employs legitimate but compromised accounts to send phishing lures as part of its operations. The group's main targets are academics, journalists, human rights defenders, political activists, intergovernmental organizations, and non-governmental organizations focusing on Iran. In recent years, the group has demonstrated an increased capability to exploit n-day vulnerabilities, reducing their response time from weeks to days or even hours, according to Microsoft. This uptick in aggression was reported earlier this year, underscoring the escalating threat posed by this nation-state actor. Phishing and bulk data collection remain core tactics of Cobalt Illusion, which often engages in human-focused intelligence gathering, extracting valuable information such as mailbox contents, contact lists, travel plans, relationships, and physical locations. On February 24th, Secureworks' Counter Threat Unit (CTU) investigated a cluster of activity that bore similarities to past Cobalt Illusion actions. The group's activities bear resemblance to other well-known hacking groups like TA453 and Phosphorus, particularly in its phishing attempts designed to deploy a new version of PowerLess. This software has been previously deployed by Phosphorus in operations throughout the Middle East and Africa. As such, Cobalt Illusion continues to present a significant cybersecurity threat with its advanced tactics and rapid exploitation of vulnerabilities.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
TA453	3	TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
Mint Sandstorm	2	Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Charming Kitten	1	Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Apt42	1	APT42, also known as Charming Kitten, CharmingCypress, Mint Sandstorm, and TA453, is a threat actor associated with Iran. The group has been linked to the Islamic Revolutionary Guard Corps (IRGC) and is recognized for its use of sophisticated tactics, techniques, and procedures (TTPs), such as enhan
Phosphorus	1	Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Iran

Microsoft

Secureworks

Apt

Exploit

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
PowerLess	Unspecified	1	Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the COBALT ILLUSION Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	6 months ago	Microsoft: Iran's Mint Sandstorm APT Blasts Educators, Researchers
BankInfoSecurity	10 months ago	Iranian Hackers Gain Sophistication, Microsoft Warns
BankInfoSecurity	a year ago	Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity	a year ago	Feds Urge Immediately Patching of Zoho and Fortinet Products
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Charming Kitten
InfoSecurity-magazine	a year ago	Tehran Targets Female Activists in Espionage Campaign
CERT-EU	a year ago	Iranian state-sponsored threat group impersonates US Think Tank
DARKReading	a year ago	'Educated Manticore' Targets Israeli Victims in Improved Phishing Attacks