{
	"id": "047ff9c3-82f4-4b48-bc8e-548fbec92776",
	"created_at": "2026-04-06T00:09:24.321832Z",
	"updated_at": "2026-04-10T03:33:49.099572Z",
	"deleted_at": null,
	"sha1_hash": "14b3694b56520d0e3d1fd476692c9de8a74668ee",
	"title": "Mabna Institute, Cobalt Dickens, Silent Librarian",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66015,
	"plain_text": "Mabna Institute, Cobalt Dickens, Silent Librarian\r\nArchived: 2026-04-05 18:07:17 UTC\r\nHome \u003e List all groups \u003e Mabna Institute, Cobalt Dickens, Silent Librarian\r\n APT group: Mabna Institute, Cobalt Dickens, Silent Librarian\r\nNames\r\nMabna Institute (real name)\r\nCobalt Dickens (SecureWorks)\r\nSilent Librarian (SecureWorks)\r\nYellow Nabu (PWC)\r\nTA407 (Proofpoint)\r\nTA4900 (Proofpoint)\r\nAcademic Serpens (Palo Alto)\r\nG0122 (MITRE)\r\nCountry Iran\r\nSponsor State-sponsored, Islamic Revolutionary Guard Corps\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\nAccording to the Treasury Department, since 2013, the Mabna Institute hit 144 US\r\nuniversities and 176 universities in 21 foreign countries.\r\nGeoffrey Berman, US Attorney for the Southern District of New York revealed that\r\nthe spear phishing campaign targeted more than 100,000 university professors\r\nworldwide and about 8,000 accounts were compromised.\r\nThe Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic\r\nprojects were stolen.\r\nThe hackers also targeted the US Department of Labor, the US Federal Energy\r\nRegulatory Commission, and many private and non-governmental organizations.\r\nThe sanctions also hit the Mabna Institute, an Iran-based company that had a critical\r\nrole in coordinating the attacks on behalf of Iran’s Revolutionary Guards.\r\nAlso see Shadow Academy.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfa23dfc-0cb8-4621-bde5-1583e1e7bfa4\r\nPage 1 of 3\n\nObserved\nSectors: Education.\nCountries: Australia, Canada, China, Hong Kong, Israel, Japan, Switzerland, Turkey,\nUK, USA.\nTools used\nOperations performed\nAug 2018\nDespite indictments in March 2018, the Iranian threat group is likely\nresponsible for a large-scale campaign that targeted university\ncredentials using the same spoofing tactics as previous attacks.\nIn August 2018, members of university communities worldwide may\nhave been providing access to more than just homework assignments.\nSecureworks Counter Threat Unit (CTU) researchers discovered a\nURL spoofing a login page for a university.\nJul 2019\nIn July and August 2019, CTU researchers discovered a new large\nglobal phishing operation launched by COBALT DICKENS. This\noperation is similar to the threat group’s August 2018 campaign, using\ncompromised university resources to send library-themed phishing\nemails.\nSep 2020\nIn mid-September, we were tipped off by one of our customers about a\nnew active campaign from this APT group. Based off a number of\nintended victims, we can tell that Silent Librarian does not limit itself\nto specific countries but tries to get wider coverage.\nCounter operations Mar 2018\nNine Iranians Charged With Conducting Massive Cyber Theft\nCampaign on Behalf of the Islamic Revolutionary Guard Corps\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfa23dfc-0cb8-4621-bde5-1583e1e7bfa4\nPage 2 of 3\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfa23dfc-0cb8-4621-bde5-1583e1e7bfa4\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfa23dfc-0cb8-4621-bde5-1583e1e7bfa4\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dfa23dfc-0cb8-4621-bde5-1583e1e7bfa4"
	],
	"report_names": [
		"showcard.cgi?u=dfa23dfc-0cb8-4621-bde5-1583e1e7bfa4"
	],
	"threat_actors": [
		{
			"id": "3153308a-c34e-4a02-a179-2987fec3805b",
			"created_at": "2022-10-25T16:07:24.169458Z",
			"updated_at": "2026-04-10T02:00:04.887975Z",
			"deleted_at": null,
			"main_name": "Shadow Academy",
			"aliases": [],
			"source_name": "ETDA:Shadow Academy",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "adc8bb1a-6ded-4b27-8163-8069d5a6d492",
			"created_at": "2022-10-25T15:50:23.566869Z",
			"updated_at": "2026-04-10T02:00:05.385876Z",
			"deleted_at": null,
			"main_name": "Silent Librarian",
			"aliases": [
				"Silent Librarian",
				"TA407",
				"COBALT DICKENS"
			],
			"source_name": "MITRE:Silent Librarian",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "42e41377-c64c-4be9-87a0-ee903e4b9055",
			"created_at": "2023-01-06T13:46:38.950322Z",
			"updated_at": "2026-04-10T02:00:03.158476Z",
			"deleted_at": null,
			"main_name": "Silent Librarian",
			"aliases": [
				"Mabna Institute",
				"TA407",
				"TA4900",
				"Yellow Nabu",
				"COBALT DICKENS"
			],
			"source_name": "MISPGALAXY:Silent Librarian",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d4c0e20f-e199-448e-9056-88bb1cf1c63e",
			"created_at": "2025-08-07T02:03:24.717633Z",
			"updated_at": "2026-04-10T02:00:03.630245Z",
			"deleted_at": null,
			"main_name": "COBALT DICKENS",
			"aliases": [
				"ITG22 ",
				"SilentLibrarian ",
				"TA407 ",
				"Yellow Nabu "
			],
			"source_name": "Secureworks:COBALT DICKENS",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7",
			"created_at": "2022-10-25T16:07:23.821494Z",
			"updated_at": "2026-04-10T02:00:04.759302Z",
			"deleted_at": null,
			"main_name": "Mabna Institute",
			"aliases": [
				"Academic Serpens",
				"Cobalt Dickens",
				"G0122",
				"Mabna Institute",
				"Silent Librarian",
				"TA407",
				"TA4900",
				"Yellow Nabu"
			],
			"source_name": "ETDA:Mabna Institute",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434164,
	"ts_updated_at": 1775792029,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14b3694b56520d0e3d1fd476692c9de8a74668ee.pdf",
		"text": "https://archive.orkl.eu/14b3694b56520d0e3d1fd476692c9de8a74668ee.txt",
		"img": "https://archive.orkl.eu/14b3694b56520d0e3d1fd476692c9de8a74668ee.jpg"
	}
}