{
	"id": "669a26be-62f0-4e7c-a97a-08a088a820db",
	"created_at": "2026-04-06T00:10:17.6959Z",
	"updated_at": "2026-04-10T13:11:43.518841Z",
	"deleted_at": null,
	"sha1_hash": "0d0919424277769d10d7246a75aabf0f89920e6b",
	"title": "Cobalt Hacking Group Tests Banks In Russia and Romania",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2900387,
	"plain_text": "Cobalt Hacking Group Tests Banks In Russia and Romania\r\nBy Ionut Ilascu\r\nPublished: 2018-08-30 · Archived: 2026-04-05 16:27:13 UTC\r\nIn new spear-phishing campaigns observed this month, the Cobalt hacking group targeted banks in Russia and Romania with\r\nemails containing two payloads pointing to two different command and control servers.\r\nCobalt is a cybercrime gang that operates since at least 2016 specialized in targeting financial organizations. According to\r\ndata from Europol, the group is tied to cyberattacks against at least 100 banks across the world, stealing about one billion\r\neuros from them.\r\nAlthough the alleged ringleader has been arrested in Spain this year, and three individuals believed to be members of the\r\nhacking crew have been charged at the beginning of the month, the group continues to operate.\r\nhttps://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nPhishing email uses domain similar to financial organization\r\nArbor Networks ASERT Team on August 13 noticed a new campaign bearing the Cobalt signature. The target was NS Bank\r\nin Russia. ASERT's threat-intelligence partner Intel471 discovered another campaign aimed at Carpatica Commercial\r\nBank/Patria Bank in Romania.\r\nThe emails delivered to the victims purported to be from other institutions related to the financial industry, a tactic intended\r\nto increase confidence in launching the weaponized files in the attachment.\r\nThe researchers with ASERT examined the domain rietumu[.]me, which is a command and control (C2) server connected to\r\nCobalt activity, and found an email address that led them to five new domains created on August 1, one of them being inter-kassa[.]com.\r\nThe other domains the experts uncovered, and clearly trying to impersonate financial institutions are:\r\ncompass[.]plus - probably posing as BBVA Compass Bancshares or Compass Savings Bank\r\neucentalbank[.]com  - probably posing as the European Central Bank\r\neuropecentalbank[.]com - probably posing as the European Central Bank\r\nunibank[.]credit - probably posing as any Unibank financial entities across the globe\r\nInterkassa is a legitimate payment processing system based in Georgia (the country) offering over 50 payment instruments\r\nfor online transactions in multiple currencies.\r\nLooking for samples associated with this domain, ASERT found a phishing email for an NS Bank employee. Contrary to the\r\n\"norm,\" it included two links to malicious files: one to a Word document with obfuscated VBA scripts, and one for\r\ndownloading a binary with the extension changed to JPG.\r\nEmail delivers links to two weaponized files\r\nThe weaponized Office file needs to have permission to run macros in order to be able to execute the VBA script. But if\r\nmacros are enabled, a convoluted operation is triggered, ending with downloading and running a JavaScript backdoor very\r\nsimilar in functionality with another tool linked to the Cobalt group.\r\nhttps://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/\r\nPage 3 of 6\n\nThe executable file posing as JPEG image in the email to NS Bank came from hxxp://sepa-europa[.]eu, a domain pretending\r\nto be related to the Single Euro Payments Area (SEPA), an initiative for easier cross-border payments within the European\r\nUnion space.\r\n\"UPX unpacked, is an executable rather than an image file.  The sample is littered with junk code that spends CPU cycles\r\nbefore proceeding to de-obfuscate itself.  The unpacking routine involves overwriting itself in memory with another\r\nexecutable,\" ASERT explains.\r\nFollowing the analysis of this binary, the researchers determined it was a variant of CobInt/COOLPANTS - a reconnaissance\r\nbackdoor found on a C2 operated by Cobalt hackers in the past.\r\n\"Making use of separate infection points in one email with two separate C2s makes this email peculiar.  One could speculate\r\nthat this would increase the infection odds,\" ASERT concludes.\r\nSpear phishing employee at Romanian bank\r\nThe spear-phishing campaign against Carpatica Commercial Bank, now merged with Patria Bank, delivered malware that\r\nshared the same program database with a sample from the domain rietumul[.]me, tied to the Cobalt group.\r\nhttps://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/\r\nPage 4 of 6\n\nThe header of the phishing email shows that the attacker used SEPA once more as a cover for the malicious activity, using\r\nSEPA Europe as the sender of the message.\r\nIt is unclear when Intel471 caught the phishing email, but two weeks ago the Romanian Intelligence Service (SRI)\r\nannounced that it had solid information about cyberattacks aimed at financial institutions in Romania.\r\nAccording to the communication, the events occurred between June and August, a timeframe that overlaps with the\r\ncampaigns discovered by the researchers at the two companies.\r\nSRI says that analysis from its cyberintelligence unit, National Cyberint Center (CNC), shows that the arsenal of attack tools\r\nused by the hackers includes Cobalt Strike, a piece of software for penetration testing. This is confirmed by the numerous\r\nreports from various security companies that examined the group's activity.\r\nPhishing is how it starts\r\nSpear-phishing is an initial stage of the attack, where the group tries to gain a foothold access in the bank's digital\r\ninfrastructure. Subsequent activity from the Cobalt group typically consists in reconnaissance and moving laterally inside\r\nthe network.\r\nAfter they learn how the target operates and get the same access as high-level employees, the hackers could execute money\r\ntransfers, command ATMs, and steal money from payment gateways and SWIFT systems.\r\nhttps://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/\r\nhttps://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/"
	],
	"report_names": [
		"cobalt-hacking-group-tests-banks-in-russia-and-romania"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51",
			"created_at": "2022-10-25T16:07:23.474746Z",
			"updated_at": "2026-04-10T02:00:04.623746Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"ATK 67",
				"Cobalt Gang",
				"Cobalt Spider",
				"G0080",
				"Gold Kingswood",
				"Mule Libra",
				"TAG-CR3"
			],
			"source_name": "ETDA:Cobalt Group",
			"tools": [
				"ATMRipper",
				"ATMSpitter",
				"Agentemis",
				"AmmyyRAT",
				"AtNow",
				"COOLPANTS",
				"CobInt",
				"Cobalt Strike",
				"CobaltStrike",
				"Cyst Downloader",
				"Fareit",
				"FlawedAmmyy",
				"Formbook",
				"Little Pig",
				"Metasploit Stager",
				"Mimikatz",
				"More_eggs",
				"NSIS",
				"Nullsoft Scriptable Install System",
				"Pony Loader",
				"Ripper ATM",
				"SDelete",
				"Siplog",
				"SoftPerfect Network Scanner",
				"SpicyOmelette",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Terra Loader",
				"ThreatKit",
				"VenomKit",
				"cobeacon",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242",
			"created_at": "2022-10-25T15:50:23.744036Z",
			"updated_at": "2026-04-10T02:00:05.294413Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"Cobalt Group",
				"GOLD KINGSWOOD",
				"Cobalt Gang",
				"Cobalt Spider"
			],
			"source_name": "MITRE:Cobalt Group",
			"tools": [
				"Mimikatz",
				"More_eggs",
				"SpicyOmelette",
				"SDelete",
				"Cobalt Strike",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d0919424277769d10d7246a75aabf0f89920e6b.pdf",
		"text": "https://archive.orkl.eu/0d0919424277769d10d7246a75aabf0f89920e6b.txt",
		"img": "https://archive.orkl.eu/0d0919424277769d10d7246a75aabf0f89920e6b.jpg"
	}
}