Cosmicbeetle

Threat Actor updated 15 hours ago (2024-10-17T13:04:36.535Z)
Download STIX
Preview STIX
CosmicBeetle, a threat actor identified and tracked by ESET since 2020, is a cybercrime group that has been increasingly active in the global cybersecurity landscape. Its operations primarily target small and midsize businesses (SMBs) across various sectors including manufacturing, pharmaceuticals, legal, education, and healthcare industries. The group opportunistically exploits older vulnerabilities in software typically used by these businesses, such as issues in Veeam Backup & Replication and Microsoft Active Directory, which allow unauthenticated attackers to gain access or escalate privileges within the targeted infrastructure. While Turkey accounts for most of the victimized organizations, significant numbers also originate from Spain, India, South Africa, and other countries. In a bid to enhance its reputation, CosmicBeetle has started impersonating the infamous LockBit ransomware gang. This strategy is part of a broader shift in the group's tactics, which now include the use of ScRansom ransomware and an affiliation with the ransomware-as-a-service actor RansomHub. These changes suggest that CosmicBeetle is expanding its operations and seeking to establish itself as a formidable player in the cybercrime ecosystem. Furthermore, the group uses ScHackTool to download additional tools onto compromised systems and manipulate them at will, demonstrating a sophisticated approach to system exploitation. Despite its growing sophistication, CosmicBeetle does not make significant efforts to conceal its malware, leaving many artifacts on compromised systems. The ransomware payload drops a clipper malware to monitor the system clipboard and modify cryptocurrency wallet addresses to those under the attacker's control, further indicating the group's financial motives. However, the rapid changes in the ScRansom ransomware and the group's focus on exploiting older, known vulnerabilities suggest that CosmicBeetle is still relatively immature in its operations. As such, it tends to target victims outside of the EU and US, especially SMBs, where patch management may be less robust.
Description last updated: 2024-10-17T12:20:28.493Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Noname is a possible alias for Cosmicbeetle. NoName, also known as CosmicBeetle, is a pro-Russia threat actor group that has been active since at least 2020. The group is notorious for exploiting years-old vulnerabilities in systems, particularly those of small and medium-sized businesses, which have often left these flaws unpatched. They have
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploits
Fortios
Ransomware
Exploit
Malware
Eset
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Cosmicbeetle. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operatUnspecified
2
Source Document References
Information about the Cosmicbeetle Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more