{ "id": "ff437a22-b39f-4417-bbdc-d5ec0c6e2253", "created_at": "2026-04-06T00:16:15.984121Z", "updated_at": "2026-04-10T13:13:08.112689Z", "deleted_at": null, "sha1_hash": "06f42f59ad85978af55448e7496a96ae98ae5e7b", "title": "Cobalt hackers executed massive, synchronized ATM heists across Europe, Russia - Help Net Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113734, "plain_text": "Cobalt hackers executed massive, synchronized ATM heists across\r\nEurope, Russia - Help Net Security\r\nBy Zeljka Zorz\r\nPublished: 2016-11-22 · Archived: 2026-04-05 16:37:09 UTC\r\nA criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS\r\ncountries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has\r\nbeen active since June 2016, and their latest attacks happened in July and August.\r\nSetup and execution of the attacks\r\nThe group sent out spear-phishing emails – purportedly sent by the European Central Bank, the ATM maker\r\nWincor Nixdorf, or other banks – to the target banks’ employees. The emails delivered attachments containing an\r\nexploit for an MS Office vulnerability.\r\n“If the vulnerability is successfully exploited, the malicious module will inject a payload named Beacon into\r\nmemory. Beacon is a part of Cobalt Strike, which is a multifunctional framework designed to perform penetration\r\ntesting. The tool enables perpetrators to deliver the payload to the attacked machine and control it,” the\r\nresearchers explained in a recently released paper.\r\nAdditional methods and exploits were used to assure persistence in the targeted machines, to gain domain\r\nadministrator privileges, and ultimately to obtain access to the domain controller. From that vantage point, they\r\nhttps://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/\r\nPage 1 of 2\n\nwere able to obtain Windows credentials for all client sessions by using the open source Mimikatz tool.\r\nThe attackers would ultimately gain control over a number of computers inside the bank’s local network. Some of\r\nthem are connected to the Internet, and others not, but the latter would receive instructions from the central Cobalt\r\nStrike console through the former.\r\n“After the local network and domain are successfully compromised, the attackers can use legitimate channels to\r\nremotely access the bank, for example, by connecting to terminal servers or via VPN acting as an administrator or\r\na standard user,” the researchers noted. The attacker have also installed a modified version of the TeamViewer\r\nremote access tool on the compromised devices, just in case.\r\nOnce constant access was assured, the criminals searched for workstations from which they could control ATMs.\r\nThey would load the ATMs with software that allows them to control cash dispensers.\r\nThe final strikes happened in a few hours on the same day, when money mules would go to the targeted ATMs,\r\nsend an SMS with the code identifying the ATM to a specific phone number, the criminals would make it spit out\r\nall the cash, and the mules would leave with it.\r\nSome interesting things about the gang’s capabilities\r\nThe Cobalt gang uses a number of legitimate, open and closed source tools – Cobalt Strike (a tool for penetration\r\ntesting), Mimikatz, SDelete (a free tool available on the Microsoft website that deletes files beyond recovery), and\r\nTeamViewer.\r\n“Once an ATM is emptied, the operator launches the SDelete program, which removes les used with a special\r\nalgorithm, which prevents information from being recovered. Thereafter, the ATM restarts,” the researchers\r\nexplained. “In addition, operators disable the bank’s internal servers involved in the attack using the MBRkiller\r\nmalware that removes MBR (master boot record). Such a careful approach significantly complicates further\r\ninvestigation.”\r\nThe ATM manipulation software also contains code that allows it to record a log containing information about the\r\nbanknotes dispensed – the gang obviously does not trust the money mules to correctly report the amount that was\r\nstolen from each ATM.\r\nWhich banks were hit?\r\nIB Group did not name them, but only noted that they are based in Armenia, Belarus, Bulgaria, Estonia, Georgia,\r\nKyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, the UK and Malaysia.\r\nAccording to Reuters, Diebold Nixdorf and NCR, the world’s two largest ATM makers, have provided banks with\r\ninformation on how to prevent or at least minimize the impact of these attacks.\r\nIt is unknown how much money the group was able to steal.\r\nSource: https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/\r\nhttps://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/" ], "report_names": [ "cobalt-hackers-synchronized-atm-heists" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434575, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06f42f59ad85978af55448e7496a96ae98ae5e7b.pdf", "text": "https://archive.orkl.eu/06f42f59ad85978af55448e7496a96ae98ae5e7b.txt", "img": "https://archive.orkl.eu/06f42f59ad85978af55448e7496a96ae98ae5e7b.jpg" } }