Spacecobra

Malware updated 3 months ago (2024-06-13T18:17:34.822Z)

Download STIX

Preview STIX

SpaceCobra is a malware group known for its malicious software activities, which have been ongoing since at least 2015. The group is linked to the BingeChat and Chatico campaigns and has revived the GravityRAT malware with enhanced functionalities. This updated version of GravityRAT allows SpaceCobra to extract WhatsApp Messenger backups and receive commands from a Command and Control (C&C) server to delete files. The malware targets Windows, Android, and macOS systems as documented by cybersecurity firms such as Cisco Talos, Kaspersky, and Cyble. Despite extensive research, the identity of the actor behind GravityRAT remains unknown. In 2022, SpaceCobra launched a deceptive application named "Chatico," distributed via the website "chatico.co[.]uk." This app was used in a campaign similar to previous SpaceCobra initiatives, targeting specific individuals. According to ESET telemetry, users in India were among those targeted by the updated Chatico version of the RAT (Remote Access Trojan). In 2023, ESET reported that a Pakistan-based group, also tracked as SpaceCobra, used an updated version of the Android GravityRAT spyware to steal WhatsApp backup files and delete files on victim devices. The use of GravityRAT marks a shift in SpaceCobra's tactics, as it began focusing on Android platforms in 2020. The spyware is exclusively utilized by SpaceCobra for selected operations targeting specific individuals or groups. ESET researchers continue to monitor the group, providing indicators of compromise (IoCs) for this campaign. Despite these efforts, the threat actor behind GravityRAT, and therefore SpaceCobra, remains unidentified, highlighting the sophisticated nature of their operations and the challenges in tracking and mitigating such threats.

Description last updated: 2024-06-13T18:15:43.302Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Chatico	3	Chatico is a malicious software (malware) that was discovered to be part of a targeted cyber threat campaign since June 2022. The malware, based on the OMEMO Instant Messenger app, was trojanized with GravityRAT, a notorious Android remote access trojan. The group behind this threat employed a fraud
GravityRAT	3	GravityRAT is a notorious Trojan malware that has been used in various cyberattacks, including those targeting military systems. Initially designed for Windows, it has evolved over time to target Android devices as well. The malware uses stolen developer certificates to bypass security measures such

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Spyware

Macos

Rat

Eset

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Spacecobra Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	3 months ago	Pakistan's 'Cosmic Leopard' Is Targeting India With RATs
BankInfoSecurity	a year ago	Breach Roundup: European Investment Bank Suffers Cyberattack
Securityaffairs	a year ago	Updated Android spyware GravityRAT steals WhatsApp Backups
CERT-EU	a year ago	Android GravityRAT Spyware Steals WhatsApp Backup Files
ESET	a year ago	WeLiveSecurity
ESET	a year ago	Android GravityRAT goes after WhatsApp backups \| WeLiveSecurity
InfoSecurity-magazine	a year ago	New Version of Android GravityRAT Spyware Targets WhatsApp Backups