← All Threat Actors
Threat Actor Profile

Cobalt Group

Cobalt Gang Cobalt Spider G0080 GOLD KINGSWOOD
▲ High Threat
[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between [Cobalt Group](https://attack.mitre.org/groups/G0080) and both the malware [Carbanak](https://attack.mitre.org/software/S0030) and the group [Carbanak](https://attack.mitre.org/groups/G0008).(Citation: Europol Cobalt Mar 2018)
Origin

Known TTPs

Spearphishing Attachment
Ingress Tool Transfer
Command Obfuscation
Scheduled Task
Odbcconf
Compromise Software Supply Chain
Security Software Discovery
Dynamic Data Exchange
Malicious File
Exploitation for Privilege Escalation
CMSTP
Regsvr32
Process Injection
PowerShell
Tool
Remote Desktop Protocol
Visual Basic
Exploitation for Client Execution
File Deletion
Bypass User Account Control
XSL Script Processing
DNS
JavaScript
Spearphishing Link
Malicious Link
Windows Command Shell
Web Protocols
Registry Run Keys / Startup Folder
Protocol Tunneling
Asymmetric Cryptography
Windows Service
Remote Access Tools
Network Service Discovery
Logon Script (Windows)

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD