{ "id": "db2acad6-614a-41a5-bde5-084f60827984", "created_at": "2026-04-06T00:06:43.906895Z", "updated_at": "2026-04-10T03:35:12.371508Z", "deleted_at": null, "sha1_hash": "1a49b58f567e70e021979faa34f2ff1bbe3a017e", "title": "New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3296558, "plain_text": "New Techniques to Uncover and Attribute Cobalt Gang Commodity\r\nBuilders and Infrastructure Revealed\r\nBy Unit 42\r\nPublished: 2018-10-25 · Archived: 2026-04-02 11:00:59 UTC\r\nNowadays, it’s very easy for an advanced attacker to use commodity tools and malware along with very simple initial\r\ndelivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the\r\nuse of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the\r\nThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the\r\nattacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using\r\nliving-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).\r\nThis approach makes it more difficult for threat hunters and defenders to find those needles in the haystack necessary to\r\nidentify a campaign and its objectives.  However even if an attacker uses commodity builders and tools, there is always a\r\nchance to find specific signals or characteristics that help to identify and track an actor’s infrastructure. One of the groups\r\nwell known for following these TTPs is the Cobalt Gang, which is still active even after the arrest of their alleged leader in\r\nSpain this year.\r\nDuring October 2018, Unit 42 has been investigating ongoing Cobalt Gang campaigns, as well as leveraging the latest\r\ninformation publicly reported in research reports, such as the ones described by Talos or Morphisec, to help discover and tie\r\nnew infrastructure to this attack group.\r\nAs a result, we have been able to identify both the use of a common macro builder as well as specific document metadata\r\nwhich have allowed us to track and cluster new activity and infrastructure associated with the Cobalt Gang.\r\nA Recent Effective Example of Delivery\r\nOne of the latest examples related to the campaign under analysis was used in attacks just a few days ago. It shows the\r\nsimplicity of the attack delivery employed by this group.\r\nThe attack reinforces the fact that email is still one of the primary attack vectors we continuously observe. This attack begins\r\nby targeting employees at several banking entities across the globe using an email with subject “Confirmations on October\r\n16, 2018”.\r\nThe sample shown in Figure 1 can already be found in popular public online malware repositories.\r\n(SHA256:  5765ecb239833e5a4b2441e3a2daf3513356d45e1d5c311baeb31f4d503703e).\r\nFigure 1. Example of Email delivery\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 1 of 15\n\nThe attachment is just a PDF document without any kind of code or exploit. Instead it seeks to use social engineering to\r\nconvince the user click a link to download a malicious macro. This is a method used before by the Cobalt Gang and\r\ndiscussed in previous research as for example by Talos.\r\nFigure 2. PDF sample with embedded link\r\nThe PDF is simple and embeds a link that will open a legitimate Google location, and redirect the browser to a malicious\r\ndocument from there:\r\nFigure 3. Malicious doc browser redirect\r\nIn order to be effective against static analysis tools, the PDF that attackers crafted the PDF to seem more authentic: it\r\ncontains empty pages as well as some text pages that help in not raising red flags during analysis, shown in Figures 4 and 5.\r\nKeep in mind that PDFs with low number of pages or high entropy in the content can raise suspicious flags in static analysis.\r\nFigure 4. PDF static analysis\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 2 of 15\n\nFigure 5. PDF text used to fill pages\r\nBy employing these two techniques the PDF avoids almost all traditional AV detection, resulting in a very effective transport\r\nof the first stage of the attack via email.\r\nIf the attack progresses, the user will be taken to the download of an MS Word document containing malicious macros that\r\nhas very low detection rate at the moment of this campaign delivery. From a metadata standpoint, the document does not\r\ninclude any specific signal or characteristic that would help us tracking documents from the same author, as shown in Figure\r\n6.\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 3 of 15\n\nFigure 6. Doc102018.doc metadata\r\nThe downloaded malicious macro uses cmstp.exe to run a “scriptlet”, a technique well known to bypass AppLocker, and\r\ncontinues with the next stages of the payload delivery.  The objective of this research is not the payload analysis, but to\r\nfocus on all possible aspects of the attack delivery for further tracking on the actors’ campaign and its associated\r\ninfrastructure.\r\nSo, the question is now… how can this simple delivery method help identify the campaign and objectives?\r\nMacro Builder Identification\r\nThe attack also achieves quite low detection results with its macro code, so one of the first focuses of the investigation is the\r\nidentification of a possible underlying builder. By looking into the macro code for “Doc102018.doc”, we can posit multiple\r\ntheories.\r\nThe macro code is over 1500 lines in length, and starts declaring a set of variables with a very specific nomenclature (in this\r\nsample, letXX(num)):\r\nFigure 7. Example of format of macro variables\r\nSome of the variables are used in long encoding / decoding routines based on individual character assignations:\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 4 of 15\n\nFigure 8. Using specific variable format in decoding routines\r\nProcedures and functions are also defined using the same nomenclature (in this sample, letXX()):\r\nFigure 9. Procedures and Functions in VBA code\r\nAnd it makes use of the API call “CallByName” to invoke methods at runtime:\r\nFigure 10. Use of CallByName in VBA code\r\nIf we analyze some previous samples linked to Cobalt Gang, such as the ones depicted by Morphisec, this pattern is also\r\nobservable (in this case, using PkXX instead of letXX):\r\nFigure 11. VBA pattern in other documents\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 5 of 15\n\nOne initial approach to hunt for the pattern can be based on the following regular expressions for the different areas:\r\nVariable definitions /[A-Za-z]k[0-9]{2}([0-9]{1})/\r\nFunction definitions /Private Function [A-Za-z]{2,5}[0-9]{2,3}\\(/\r\nProcedure definitions /Sub [A-Za-z]{2,5}[0-9]{2,5}\\(/\r\nIn order to test our hypothesis for the builder we created the following Yara rules:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\nrule cmstp_macro_builder_rev_a\r\n{\r\n    meta:\r\n        description=\"CMSTP macro builder based on variable names and runtime invoke\"\r\n        author=\"Palo Alto Networks Unit42\"\r\n    strings:\r\n        $method=\"CallByName\"\r\n        $varexp=/[A-Za-z]k[0-9]{2}([0-9]{1})/\r\n    condition:\r\n        $method and\r\n        #method == 2 and\r\n        #varexp \u003e 10\r\n}\r\nrule cmstp_macro_builder_rev_b {\r\n    meta:\r\n        description=\"CMSTP macro builder based on routines and functions names and runtime invoke\"\r\n        author=\"Palo Alto Networks Unit42\"\r\n    strings:\r\n        $func=/Private Function [A-Za-z]{1,5}[0-9]{2,3}\\(/\r\n        $sub=/Sub [A-Za-z]{1,5}[0-9]{2,5}\\(/\r\n        $call=\"CallByName\"\r\n    condition:\r\n        $call and\r\n        #func \u003e 1 and\r\n        #sub \u003e 1\r\n}\r\nHunting with these Yara rules leads to very positive results identifying this builder as well as a set of malicious documents\r\nusing it. But the documents identified are not always targeting the finance or banking industries, and so, we cannot\r\nguarantee that this builder is only used by this specific Cobalt Gang group and its campaigns against those industries.\r\nHowever, using this in combination with other aspects such as the target, payload, or dropper characteristics, becomes very\r\nuseful in tracking this group’s campaigns, as we will see in the following sections.\r\nLet’s focus then on the first stage of the delivery, the PDF documents.\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 6 of 15\n\nCommon Signals in PDF Documents\r\nAs we have seen, the use of a commodity PDF file with an embedded Google redirect link results in a very effective social\r\nengineering artifact. As there is no exploit or code executed, our research will now be focused on the metadata information\r\nfrom the document for further analysis.\r\nFigure 12. PDF Exiftool metadata\r\nOur next hypothesis would be to check if the PDF documents could have been created based on a template document, where\r\nthe author modifies the embedded link in the PDF and saves different document versions over time.\r\nBased on the XMP specification, we will pay attention to the values of the “DocumentID” and “InstanceID” Media\r\nManagement Properties:\r\nFigure 13. XMP Media Management Properties\r\nIn order to confirm this hypothesis, let’s focus on the Document ID metadata field. Basically, saving the same template twice\r\nwith 2 different links would produce the same Document ID but multiple Instance ID values (one per saved document).\r\nSearching our telemetry data for this metadata content produces interesting results.\r\nIn order to help hunting for the content, the following Yara rule also could be used:\r\nrule cobaltgang_pdf_metadata_rev_a{\r\n    meta:\r\n        description=\"Find documents saved from the same potential Cobalt Gang PDF template\"\r\n        author=\"Palo Alto Networks Unit 42\"\r\n    strings:\r\n             $ = \"\u003cxmpMM:DocumentID\u003euuid:31ac3688-619c-4fd4-8e3f-e59d0354a338\" ascii wide\r\n    condition:\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 7 of 15\n\nany of them\r\n}\r\nThe results confirm our hypothesis (see Appendix for IOCs), and we have been able to find multiple PDF files that the\r\nattacker has saved with different contents but starting on the same “template”, all of them sharing the same characteristics.\r\n(different content)\r\nFigure 14. Example PDF document\r\nFurther analysis on the subsequent stages of the attack will allow us to confirm if the samples are related to Cobalt Gang\r\ncampaigns.\r\nFor example, let’s analyze the following document:\r\nObserved File Name SHA256\r\nREMITTER REFERENCE PMT.pdf 1d0aae6cff1f7a772fac67b74a39904b8b9da46484b4ae8b621a6566f7761d16\r\nThe document was delivered by email, with the subject “Fund Transfer 08-October-2018\", targeting banking customers:\r\nFigure 15. Email data associated to REMITTER REFERENCE PMT.pdf\r\nAnd it contains the embedded link redirecting to the following URL:\r\nhxxps://fundswp[.]com/Document082018.doc\r\nWhich downloads the document:\r\nObserved File Name SHA256\r\nDocument082018.doc 020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee\r\nBy extracting the macro code, we can validate how it matches the macro builder described in the previous section. The\r\nfollowing output shows how running the Yara rule searching for the macro builder against the extracted VBA contents of the\r\ndocument produces the expected match in its contents:\r\n❯ yara cmstp_macro_builder.yar 020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee_subfiles\r\ncmstp_macro_builder_2\r\n020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee_subfiles/e657fe761effbe7e11e3cc343ba6845c2c9a6c989e7b805717d2e\r\ncmstp_macro_builder_2\r\n020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee_subfiles/8a6d2cccb6f2007cb7fa29d3f009f9fbe305bffc45dc35d3828f2d\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 8 of 15\n\nThe pieces of our puzzle start to match for this campaign if we now put things in perspective:\r\n1. Hunting for PDF files that are created with the same “DocumentID” management metadata field result in a set of\r\nfiles that have been used in email delivery against banking entities.\r\n2. All of the PDF files embed a link based on a Google redirect, leading to the download of a Microsoft Office\r\ndocument file.\r\n3. The Microsoft Office document files contain macros for code execution. Those macros match the characteristics of\r\nthe builder that we have characterized.\r\nDiscovering the Attacker’s Infrastructure\r\nWith these results obtained, we can start to move towards finding attacker infrastructure pieces based on multiple aspects,\r\nsuch as the hunting rules defined in previous sections, session data obtained by our telemetry, or public WHOIS registrar\r\ndata.\r\nUsing our “hunting rules”\r\nBased on the metadata and builder characteristics, we have tracked a set of malicious PDF and Office files (see Appendix)\r\nthat provide us with domains and Office files in use by the attacker.\r\nSome examples of the PDF and embedded C2 links and document names are below in Table 1:\r\nSHA256 Embedded Link\r\n1fd9ba8eb97bf03cd4d3cbaac867595c920f1f36ebfbe9c1fc76558ea5e0ece5\r\nhxxp://www[.]pedidoslalacteo[.]com[.]ar/Proof-of-payment-19.09.2018.doc\r\n5ac1612535b6981259cfac95efe84c5608cf51e3a49b9c1e00c5d374f90d10b2 hxxps://s3[.]sovereigncars[.]org[.]uk/inv005189.pdf\r\n07f60611836c0a679c0fb2e25f5caeb4d29cd970919d47f715666b80be46f45c hxxps://alotile[.]biz/Document092018.doc\r\n9d6fd7239e1baac696c001cabedfeb72cf0c26991831819c3124a0a726e8fe23\r\nhxxps://goo[.]gl/mn7iGj\r\nWhich redirects to: hxxps://document[.]cdn-one[.]biz/doc000512.pdf\r\n444c63bb794abe3d2b524e0cb2c8dcc174279b23b1bce949a7125df9fab25c1c hxxps://safesecurefiles[.]com/doc041791.pdf\r\na5f2ad08b5afdbd5317b51d0d2dd8f781903522844c786a11a0957a81abfd29e\r\nhxxp://www[.]mky[.]com/Proof-of-payment-19.09.2018.doc\r\ndf18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69 hxxps://mail[.]halcyonih[.]com/uploads/doc004718538.pdf\r\nTable 1. Example PDF and embedded links\r\nThe PDF documents and URLs allowed us to discover multiple overlaps between this new infrastructure and the existing\r\nknowledge about Cobalt Gang attributed activity in previous research, corroborating new infrastructure belonging to the\r\nsame attacker.\r\nLet’s see a couple of examples of PDF documents from the list which belong to the same Document ID.\r\nObserved File Name SHA256\r\ninv005189.pdf 5ac1612535b6981259cfac95efe84c5608cf51e3a49b9c1e00c5d374f90d10b2\r\nThis sample has been already documented in previous campaigns, being related to s3[.]sovereigncars[.]org[.]uk domain. See\r\nthe Talos blog.\r\nObserved File Name SHA256\r\ndoc000512.pdf 9d6fd7239e1baac696c001cabedfeb72cf0c26991831819c3124a0a726e8fe23\r\nThe sample embeds the URL hxxps://goo[.]gl/mn7iGj which is actually a shortened URL resolving to\r\nhxxps://document[.]cdn-one[.]biz/doc000512.pdf.\r\nDomain cdn-one[.]biz is a well-known Cobalt Gang attributed domain in previous analysis.\r\nThe complete list of domains used by the PDF identified can be found in the Appendix section.\r\nPivoting on Email Sender Telemetry\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 9 of 15\n\nBased on email delivery data, our telemetry helps us collecting samples related and indicators related to the campaign.\r\nLet’s put a simple example of how tracking session data lead us to new infrastructure, by using some of the email sender\r\ndata that is identified in malicious email sessions sending the PDF documents.\r\nFor example, the following senders belong to the recent campaign and are spoofing both legitimate email domains and\r\nsenders:\r\nSome of the samples delivered by these senders and their embedded links are shown below in Table 2:\r\nSHA256 Embedded link\r\n1c1a6bb0937c454eb397495eea034e00d1f7cf4e77481a04439afbc5b3503396 hxxps://alotile.biz/Document092018.doc\r\n187e0d911cd0393caad1364ded1c394257cd149898b31f9718c7c6319af79818 hxxps://alotile.biz/Document042018.doc\r\n988d430ce0e9f19634cf7955eac6eb03e3b7774b788010c2a9742b38016d1ebf hxxps://fundsxe.com/Document09202018.doc\r\n852f11e5131d3dab9812fd8ce3cd94c1333904f38713ff959f980a168ef0d4ce hxxps://fundsxe.com/Document09222018.doc\r\nTable 2. Email sender associated PDFs and embedded links\r\nThese sample are delivered under the following file names:\r\nREMITTER REFERENCE PMT.pdf\r\nAml_S0680260A79301.pdf\r\nCIT180126-000768.pdf\r\nAMENDMENT.pdf\r\nCiti720TEME171440008_Query.pdf\r\nQuery _S-170526-005399.pdf\r\nBoth the domains and file names correlate with the results of the domains obtained based on hunting for PDFs metadata and\r\nmacro builder structure, allowing us to keep tracking new activity over time.\r\nWHOIS Registrar Overlaps\r\nTwo of the newly discovered domains used by the collected PDF documents have very interesting registrant information,\r\npointing to a public registrant name, “grigoredanbadescu”.\r\nFigure 16. Historical DNS data on safesecurefiles[.]com\r\nDomains:\r\nsafesecurefiles[.]com\r\ndocument[.]cdn-one[.]biz\r\nWHOIS registrar information:\r\ngrigoredan@centrum.cz\r\nGrigoredanbadescu\r\n+4001289858474 (Romania)\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 10 of 15\n\nBrasov\r\nRomania\r\nBy pivoting on infrastructure related to the same registrant data we can obtain a very interesting set of domains:\r\narubrabank[.]com\r\noutlook-368[.]com\r\nusasecurefiles[.]com\r\nsafesecurefiles[.]com\r\nms-server838[.]com\r\nmsoffice-365[.]com\r\ntotal-share[.]biz\r\nbank-net[.]biz\r\ncdn-one[.]biz\r\ntotal-cloud[.]biz\r\nweb-share[.]biz\r\ncloud-direct[.]biz\r\nn-document[.]biz\r\nmy-documents[.]biz\r\nfirstcloud[.]biz\r\nyourdocument[.]biz\r\nxstorage[.]biz\r\nsafe-cloud[.]biz\r\nvia24[.]biz\r\nzstorage[.]biz\r\nwebclient1[.]biz\r\nbnet1[.]biz\r\nfirstcloud[.]biz\r\nmycontent[.]biz\r\ntotal7[.]biz\r\nfreecloud[.]biz\r\ncontents[.]bz\r\njudgebin[.]bz\r\nMany of the domains listed are already known as malicious domains attributed to other Cobalt Gang campaigns.\r\nAs an important note “arubrabank[.]com” is a new domain registered on 2019-09-18 and still not observed in an active\r\ncampaign.\r\nThe domain seems to be intended to mimic the legitimate Arubabank website for further activity:\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 11 of 15\n\nFigure 17. Arubabank legitimate site\r\nInfrastructure Relationships\r\nLet’s summarize all the pieces of our puzzle, now that we can put together all the relationships we observed.\r\nFigure 18. Maltego graph. Summary of relations and overlaps.\r\nAs it can be observed in the different clusters of activity:\r\n1. The initial cluster of PDF documents, on the left, links to specific domains for the download of Microsoft Office files\r\nusing the macro builder structure.\r\n2. Some of the domains in use are publicly registered with the name of “grigoredanbanescu” and allow us to find other\r\nrelated domains, which are already linked to previous Cobalt Gang activity.\r\n3. Some of the initial PDFs have relations with Microsoft Office files linked to “grigoredanbanescu” activity,\r\nconfirming again the relationships.\r\nConclusion\r\nCommodity attacks are widely used for both criminal and more targeted attacks, making identification difficult for networks\r\ndefenders and threat hunters. One actor that makes extensive use of this approach to compromise victims is the Cobalt Gang.\r\nBy focusing on specific aspects of the macro builders and metadata the actors left behind we were able to develop new\r\nmechanisms to track and hunt Cobalt Gang activity and infrastructure.\r\nPalo Alto Networks customers are protected in the following ways:\r\nWildFire detects malware samples used by this campaign.\r\nTraps prevents these attacks at the endpoint.\r\nAll involved malicious domains have been covered by PAN-DB URL Filtering.\r\nAn Autofocus tag has been created for tracking CobaltGang actor group.\r\nAppendix – Indicators of Compromise\r\nInitial example\r\nType SHA256\r\nEmail 2f74c8b55292d59ab66960f21a4413d4d54f8b7500bb385954e7ffe68d775443\r\nPDF 57f65ecb239833e5a4b2441e3a2daf3513356d45e1d5c311baeb31f4d503703e\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 12 of 15\n\nMicrosoft Office Document 07a3355f81ff69a197c792847d0783bfc336181d66d3a36e6b548d0dbd9f5a9a\r\nDomain transef[.]biz\r\nOutlook messages\r\n477c432382c97648767ee45c264f0f2aaf8d3d9f9ed547d8418db12b7c140760\r\ne0f1dbc10088b68f772ee73b0785c3d67b8e5f147b687911613d163ad5ebda6d\r\ne6a17617eaa98c49bfb2c9d3d090ffea69bb0c1864c43861bdf8d027339ea847\r\nMicrosoft Office Document (Macro builder)\r\n020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee\r\n8004601c08983420408d2784e2a4aa79de426d41a09726a884edcb21f83ee7f8\r\nd8a2384a51cd59f6390e6a4fcb04b51358cdbd5e04cae5be23daae548c306a73\r\n161ba501b4ea6f7c2c8d224e55e566fef95064e1ed059d8287bc07e790f740e8\r\n62a278119d732e4c839ee074553f087588a9040be027bdf9e617413c6fd2e9af\r\n641d692386dab5ca60f4c6b1da0edecc5c3473c9a7d187dad6098786404780a3\r\n07a3355f81ff69a197c792847d0783bfc336181d66d3a36e6b548d0dbd9f5a9a\r\n161ba501b4ea6f7c2c8d224e55e566fef95064e1ed059d8287bc07e790f740e8\r\n12ecb6b3780cd19ea84f6e84e816a701e8231441bf90145481baa0648139e001\r\na6f941fcec01fb006fc51df96396aeeb826cdf3864756669e19cb145fe41692f\r\n19dc9b93870ddc3beb7fdeea2980c95edc489040e39381d89d0dfe0a825a1570\r\ncb5644bd670dcd9caf5185ebe396996e514ed1d93982157186611135aea79bd3\r\na0111977c79f4eb30511f22055b54e4e973c0501240f3ba462691b1b4999d561\r\nPDF Documents\r\n3a7525ffa571775aca45551ebd2c192d9b8ed45db1a61bdd8398d91db885d7a2\r\n1d0aae6cff1f7a772fac67b74a39904b8b9da46484b4ae8b621a6566f7761d16\r\n1c1a6bb0937c454eb397495eea034e00d1f7cf4e77481a04439afbc5b3503396\r\n187e0d911cd0393caad1364ded1c394257cd149898b31f9718c7c6319af79818\r\n988d430ce0e9f19634cf7955eac6eb03e3b7774b788010c2a9742b38016d1ebf\r\n852f11e5131d3dab9812fd8ce3cd94c1333904f38713ff959f980a168ef0d4ce\r\n9d6fd7239e1baac696c001cabedfeb72cf0c26991831819c3124a0a726e8fe23\r\n5ac1612535b6981259cfac95efe84c5608cf51e3a49b9c1e00c5d374f90d10b2\r\ndf18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69\r\na5f2ad08b5afdbd5317b51d0d2dd8f781903522844c786a11a0957a81abfd29e\r\n66bd5e492531adf675897de5de8aee427b896c9b2c406daff006ce6a4e8aa810\r\n1fd9ba8eb97bf03cd4d3cbaac867595c920f1f36ebfbe9c1fc76558ea5e0ece5\r\nd5328e519daadaf1520619da1f24f6d81d23c84222640058bbb366752be93537\r\n94c9fa812cebb733eda3a4eed33a0a49b60c207bb0f9153c0d08724c8b30f578\r\n07f60611836c0a679c0fb2e25f5caeb4d29cd970919d47f715666b80be46f45c\r\n7b9c183dc40c8d765e98024f8fb6565c69dee2bb97957c5ba754a23d2698bf7a\r\n195580b78e144f66ac1f9be2b927d7828ed1dc3974dc1897e0ed59a96ac8f4e1\r\n444c63bb794abe3d2b524e0cb2c8dcc174279b23b1bce949a7125df9fab25c1c\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 13 of 15\n\n07f60611836c0a679c0fb2e25f5caeb4d29cd970919d47f715666b80be46f45c\r\n7629dfcc9345578626a250afb67027955c6f78dd80b771c2968c5be0d4b11c59\r\n195580b78e144f66ac1f9be2b927d7828ed1dc3974dc1897e0ed59a96ac8f4e1\r\nb92707ebfaa15225064ff3a1a7d279b3dde1e70200e37d0074e9acc160cb16a7\r\nebf309ecd6c7a0911e1252d9e90fd302bfbd3e1d2679772025bdb9cc38bca141\r\n57f65ecb239833e5a4b2441e3a2daf3513356d45e1d5c311baeb31f4d503703e\r\nDomains\r\nalotile[.]biz\r\nfundsxe[.]com\r\ns3[.]sovereigncars[.]org[.]uk\r\nsafesecurefiles[.]com\r\ndocument[.]cdn-one[.]biz\r\nmail[.]halcyonih[.]com\r\ntransef[.]biz\r\nDomains registered by “grigoredanbanescu”\r\narubrabank[.]com\r\noutlook-368[.]com\r\nusasecurefiles[.]com\r\nsafesecurefiles[.]com\r\nms-server838[.]com\r\nmsoffice-365[.]com\r\ntotal-share[.]biz\r\nbank-net[.]biz\r\ncdn-one[.]biz\r\ntotal-cloud[.]biz\r\nweb-share[.]biz\r\ncloud-direct[.]biz\r\nn-document[.]biz\r\nmy-documents[.]biz\r\nfirstcloud[.]biz\r\nyourdocument[.]biz\r\nxstorage[.]biz\r\nsafe-cloud[.]biz\r\nvia24[.]biz\r\nzstorage[.]biz\r\nwebclient1[.]biz\r\nbnet1[.]biz\r\nfirstcloud[.]biz\r\nmycontent[.]biz\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 14 of 15\n\ntotal7[.]biz\r\nfreecloud[.]biz\r\ncontents[.]bz\r\njudgebin[.]bz\r\nURLs\r\nhxxp://www[.]pedidoslalacteo[.]com[.]ar/Proof-of-payment-19.09.2018.doc\r\nhxxps://s3[.]sovereigncars[.]org[.]uk/inv005189.pdf\r\nhxxps://alotile[.]biz/Document092018.doc\r\nhxxps://goo[.]gl/mn7iGj\r\nhxxps://document[.]cdn-one[.]biz/doc000512.pdf\r\nhxxps://safesecurefiles[.]com/doc041791.pdf\r\nhxxp://www[.]mky[.]com/Proof-of-payment-19.09.2018.doc\r\nhxxps://mail[.]halcyonih[.]com/uploads/doc004718538.pdf\r\nhxxps://e-dropbox[.]biz/doc058915654e.pdf\r\nhxxp://www[.]bit[.]do/etaYk\r\nhxxps://cloud-direct[.]biz/doc0047581678.pdf\r\nhxxps://transef[.]biz/Doc102018.doc\r\nObserved File Names\r\nDocument082018.doc\r\nREMITTER REFERENCE PMT.pdf\r\nAml_S0680260A79301.pdf\r\nCIT180126-000768.pdf\r\nAMENDMENT.pdf\r\nCiti720TEME171440008_Query.pdf\r\nQuery _S-170526-005399.pdf\r\nDocument092018.doc\r\nProof of payment 19.09.2018.doc\r\nDocument092018.doc\r\ndoc005681.doc\r\nSource: https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nhttps://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" ], "report_names": [ "unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434003, "ts_updated_at": 1775792112, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a49b58f567e70e021979faa34f2ff1bbe3a017e.pdf", "text": "https://archive.orkl.eu/1a49b58f567e70e021979faa34f2ff1bbe3a017e.txt", "img": "https://archive.orkl.eu/1a49b58f567e70e021979faa34f2ff1bbe3a017e.jpg" } }