Cosmicbeetle

Threat Actor updated 15 days ago (2024-11-08T13:27:40.865Z)
Download STIX
Preview STIX
CosmicBeetle, also known as NoName, is a threat actor that has been active since 2020. ESET researchers have recently published an in-depth analysis of this cybercrime group's activities. Despite the crude and clumsy nature of its operations, CosmicBeetle has managed to compromise various targets worldwide, primarily Small and Medium-sized Businesses (SMBs), using its new ScRansom ransomware. Interestingly, the group appears to lack sophisticated skillsets but still achieves "stealth" through odd, impractical, and overcomplicated techniques. The malware used by CosmicBeetle is controlled via a graphical user interface (GUI) and leaves plenty of artifacts on compromised systems, making little effort to hide its presence. The group's financial motives are clear, with their ransomware payload dropping clipper malware to monitor the system clipboard and alter cryptocurrency wallet addresses to those under their control. CosmicBeetle operators use a tool known as ScHackTool to download additional tools onto compromised machines and run them as they deem fit. Notably, the analysis revealed that CosmicBeetle is likely a new affiliate of the ransomware-as-a-service actor RansomHub. In a bid to bolster its reputation, CosmicBeetle has shifted towards impersonating the notorious LockBit gang, a move seen as exploiting the infamy of LockBit for its own ends. This tactic combined with their particular focus on Turkish targets suggests a deeper knowledge and confidence in targeting entities within this region. For more detailed insights into CosmicBeetle’s operations, including their encryption routine, victimology, and interactions with high-profile gangs such as LockBit and RansomHub, follow ESET Research and listen to their podcast episodes.
Description last updated: 2024-10-29T20:11:34.073Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Noname is a possible alias for Cosmicbeetle. NoName, also known as CosmicBeetle, is a pro-Russia threat actor group that has been active since at least 2020. The group is notorious for exploiting years-old vulnerabilities in systems, particularly those of small and medium-sized businesses, which have often left these flaws unpatched. They have
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Exploits
Fortios
Ransomware
Exploit
Eset
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Cosmicbeetle. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
2
Source Document References
Information about the Cosmicbeetle Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more