{
	"id": "05b78026-fdc5-4cdf-a59e-07b941d119aa",
	"created_at": "2026-05-01T03:10:34.274565Z",
	"updated_at": "2026-05-01T03:10:50.872541Z",
	"deleted_at": null,
	"sha1_hash": "23e683eb5a3ff85745d1a6c453f7974e9445409a",
	"title": "Secrets of Cobalt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1456016,
	"plain_text": "Secrets of Cobalt\r\nArchived: 2026-05-01 02:01:41 UTC\r\nIn June 2016, the first attack conducted by the Cobalt group was tracked at a large Russian bank, where\r\nhackers attempted to steal money from ATMs. The attackers infiltrated the bank’s network, gained control over it,\r\ncompromised the domain administrator’s account, and reached the ATM control server.\r\nThe Bank’s Information Security team detected traces of malicious programs and suspicious connections to the\r\nserver. In order to stop further unauthorized access, the entire bank was blocked from accessing the Internet. This\r\nturned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank’s network which was\r\nvery difficult to track and even harder to stop.\r\nThe day after the attack, Group-IB experts came to the bank’s central office and began searching for the source of\r\nthe attack; ascertaining the stages of its development, causes, and consequences; analyzing the malicious\r\nprograms; and restoring the chain of events. The computers that were involved in the attack were then examined.\r\nGroup-IB forensic specialists immediately understood that they faced a new approach to targeted attacks on banks.\r\nThey were not wrong. The June incident was a “test” of a new attack technique that the attackers would begin\r\nusing in July in the CIS, Europe, and Asia. For example, over $2m USD was stolen from 34 ATMs operated by\r\nthe First Bank, one of Taiwan’s largest banks. In october 2016 Group-IB published the report about the Cobalt\r\ngroup. Now, a year later, this group is continuing to attack banks, which is reported monthly by Group-IB’s Threat\r\nIntelligence team.\r\nInitially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands\r\ndirectly to the dispenser to issue cash. Then the group shifted to other systems in the bank including card\r\nprocessing, payment systems, SWIFT. Once gaining access to such systems, attackers studied how payments and\r\nother financial transactions are conducted to repeat them. That said, the services, such as payment processing\r\nsystems or SWIFT are not actually hacked or the ‘weak point’. The actual vulnerability is the bank and the\r\nprotection methods against such advanced attacks.\r\nThe Cobalt group’s attacks are always executed according to the same template. The basic principles of targeted\r\nattacks on financial institutions have not changed since 2013 when the Anunak, Corkow, Buhtrap, and Lurk\r\ngroups began conducting the first attacks on Russian banks. The only thing that has changed is the tools. Attack\r\nstages are shown in fig. 1.\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 1 of 10\n\nFig. 1 The Cobalt group’s stages of attack\r\nCurrently, the Cobalt group is attacking large financial organizations around the world, that’s why it makes\r\nsense to talk about the techniques used by this group to conceal their traces in the network and circumvent security\r\nmeasures.\r\nNetwork penetration\r\nIn all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial\r\naccess to the corporate infrastructure. The attackers use mail servers to carry out mass mailing of phishing\r\nmessages containing attachments to employees of the organization of interest. Message subjects and attachment\r\nnames are written in such a way that the employees want to open them (fig. 2).\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 2 of 10\n\nFig. 2 Examples of message subjects and attachment names\r\nThe mailing is carried out on a mass scale: in any organization, messages are usually sent to between 10 and 40\r\nemployees. However, some of the email addresses belong to employees that no longer work at the organization,\r\nwhich means that the Cobalt group likely uses out-of-date mailing lists. Each message contains an attachment that\r\nloads the payload – part of Cobalt Strike software – to the computer’s operating memory.\r\nIn order to make this download possible, attackers have tried several different formats of attachments and\r\nemails, as their primary task is to bypass mail filters, protection measures, and the company’s security\r\npolicy. First archives with .exe and .scr executables were used as an attachment (fig. 3).\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 3 of 10\n\nFig. 3 Example of a message with an executable attachment (.exe)\r\nThe archive is password-protected in order to bypass anti-virus scans, security systems, and mail filters. However,\r\nwhen there is use of a security policy that prohibits the transfer of encrypted archives, such an email message may\r\nbe blocked, so the attackers would send .doc files that contain exploits for Microsoft Office (fig. 4).\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 4 of 10\n\nFig. 4 The attackers would send .doc files that contain exploits for Microsoft Office.\r\nThis scheme assumes the presence of a vulnerable version of software. Companies can protect themselves by\r\nupdating all software they use in a timely fashion. Of course, the risk of zero-day vulnerabilities remains, but we\r\nhave not yet seen their use in these types of attacks. For organizations that perform timely updates of their\r\nsystems and adhere to strict security policies, the Cobalt group employs another method to deliver\r\nmalicious code through emails with Word documents containing a malicious macro. When opening the document,\r\nthe user must click on the “Enable content” button, which enables macros (fig. 5).\r\nFig. 5 Example of an email message with a Word document, which, when opened, requires the user to click on the\r\n“Enable content” button to enable a malicious macro.\r\nOne of Cobalt’s tasks when crafting spear-phishing emails is to conceal the sender. In events where of a simple\r\nsubstitution of the sender’s field, the majority of mail servers block these messages. Therefore, the Cobalt group\r\nregistered domains are similar to real ones (for example, diebold.pw), and configured their email server to\r\ndistribute acting as these legitimate domains (fig. 6).\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 5 of 10\n\nFig. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain.\r\nAs soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is\r\nloaded in the memory. This tool is used for penetration testing, which means that it isn’t available only to cyber-fraudsters. This software provides a full set of functions for managing a downloaded module, and accordingly, an\r\ninfected computer. This set includes a keylogger, screenshots, remote access via VNC, injections into processes,\r\nthe ability to bypass the UAC security system, the Mimikatz tool, which is used to compromise access credentials\r\nfor Windows OS accounts, the ability to scan open ports on an organization’s computers, etc.\r\nRunning in RAM\r\nCobalt Strike modules aren’t stored in the file system; their executable code can only be found in RAM. By\r\ndefault, the code runs in the context of rundll32.exe process, but can be injected into any process, for example, to\r\nincrease the rights and number of privileges. In addition, Cobalt Strike enables users not to expose a fragment of\r\nmemory allocated in the context of another process, the RWX (Read, Write, Execute) attributes, which often\r\nreveal injected code. Finally, not all anti-virus tools can scan RAM.\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 6 of 10\n\nProvision of the malware survivability\r\nThe Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set\r\nthe startup path to the executable file or program code, launching it with the powershell.exe shell command to\r\naccess the Internet resource specified in the code in order to download and install Cobalt Strike module. In this\r\nway, the payload itself is not saved in the system, but rather is reloaded each time. Another bonus of this method is\r\nthat a different payload can be loaded each time.\r\nStartup is ensured only on several machines that have access to the Internet. As a response, the following startup\r\nmethods have been recorded: through a service, startup registry keys, and Windows OS tasks, by replacing the\r\nlegitimate executable software files prescribed in startup with the executable file of the attackers. From our\r\nexperience, the Cobalt group uses a new method to provide its survivability in every attack. The danger of\r\nOS tasks is that their startup can be delayed. Even if the network is not infected now, in a month the corresponding\r\ntask may work, and the payload will get into the organization’s computers.\r\nFig. 7 Registry keys for startup\r\nBypassing anti-virus tools\r\nUsually in spear-phishing emails, no exploits or any executable modules are detected by anti-virus tools (this\r\nhas been the case with all active groups). The attackers try to reassemble the loaded modules in order to bypass\r\nthe signature analysis of anti-virus tools. Cobalt Strike provides the ability to use the Artifact Kit framework for\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 7 of 10\n\nthese purposes and even modify it, as it is distributed in the source code. Aside from that, startup is performed by\r\nloading Cobalt Strike into the main memory without saving to the file system. Additional means of circumventing\r\nanti-virus tools include the use of exploits to increase the level of rights and privileges, bypassing UAC, and\r\ninjecting code into trusted processes.\r\nBypassing network security\r\nCobalt Strike allows users to install two types of modules: HTTP/HTTPS/DNS modules and SMB modules. The\r\nformer module is installed on a system that has access to the Internet and provides interaction with the C\u0026C\r\nserver using HTTP/HTTPS/DNS protocols. After the email message sent by the attackers is opened, such a\r\nmodule is downloaded to the system. Another module is installed even in systems that do not have Internet access,\r\nas, using SMB protocol (which is typically used within a local network), the SMB module is controlled via\r\ninfected computers running the HTTP/HTTPS/DNS module.\r\nTo circumvent intrusion detection and prevention systems, as well as firewalls and proxy servers with signature\r\nrules aimed at detecting requests of a certain type, the Cobalt Strike modules generate communication profiles\r\nusing the HTTP protocol: the value of the protocol’s service header and query parameters are given, the data can\r\nbe forwarded as header value, as the value of the parameter sent with the URI, as part of the URI, and sent in the\r\nbody of HTTP message. When interacting with the C\u0026C server, the data (executable files, commands, and the\r\noutputs of those commands) is encrypted. For interaction on HTTPS protocol, HTTP protocol profiles may be\r\nused with an indicated SSL certificate, but for data exchange on the DNS protocol, it requires DNS A, AAAA, and\r\nTXT records. In this case, one may separately specify the interaction intervals between the C\u0026C server and the\r\nmodule on the infected computer.\r\nThe Cobalt Strike module can use several profiles and switch between data exchange methods on command\r\nfrom the C\u0026C server without the need to update the module. The addresses of the C\u0026C servers change from\r\nthe moment the intruders penetrate the company’s network until the moment the money is stolen, thus avoiding\r\nblacklists of IP addresses or domain names. In this way, a controlled botnet is created within the organization that\r\nhas access to any computer, even those that do not have access to the Internet.\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 8 of 10\n\nFig.8 Cobalt Strike infrastructure\r\nNetwork distribution\r\nTo run malicious programs on other computers on the network, including Cobalt Strike modules, the following\r\nmethods are used, which are provided by Microsoft products for admin accounts to:\r\nCreate a service on another computer to run the program code, start the service, and delete it. As for the\r\ncommand line, a program code is written and passed to the input of the powershell.exe command\r\ninterpreter;\r\nConnect to a shared directory (C$, ADMIN$) on another computer, copy the module to it, create the\r\nservice, run it to start the module, and then delete the service; delete the module.\r\nConnect to another computer using PsExec.exe (the remote access program is included in the Microsoft\r\nSysInternals suite), copy the module, and run it; delete the module.\r\nConnect to another computer via RDP, copy the module, and run it; delete the module.\r\nAfter creation, the services are deleted. Remote access via RDP and using PsExec is typical for network\r\nadministrators. Therefore, traces of programs that operate only in RAM are difficult to detect in a timely manner.\r\nUsually OS logs and memory dump can help. More detailed information can be obtained during an advanced\r\nsecurity audit and by periodically making backup copies of these logs.\r\nUse of standard tools\r\nCobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the\r\nnetwork. Aside from that, to work within an organization, the Cobalt group uses standard tools, including:\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 9 of 10\n\nremote connection via the RDP protocol (built-in capability of the OS);\r\nremote connection using PsЕxec;\r\nremote connection using TeamViewer, which allows a user to preserve remote access in case control using\r\nthe Cobalt Strike module is lost;\r\nnetwork scanning using the SoftPerfect Network Scanner program;\r\nsecure connection using the Plink program.\r\nTo prevent this threat, the company should configure filter rules to detect the above-mentioned tools on the\r\ncorporate network. TeamViewer calls can be controlled by rules on the firewall, proxy server, etc.\r\nConclusion\r\nAfter infecting one computer on an organization’s network, the Cobalt group analyzes the programs used on it and\r\nsearch for critical servers and the computers from which they are accessed. Financial organizations usually spend\r\na lot of money on information security and consider their isolated subnets to be safe. However, all of these subnets\r\nare controlled by people, and there is practically always access to a secure subnet from an unsecured one, even if\r\nit’s just from one computer with a unique account. This is exactly what attackers will be looking for. As we know\r\nfrom our experience, it takes from 2 weeks to 1.5 months to gain access to critical infrastructure.\r\nThis means that bank’s information security specialists have, on average, one month to identify attackers on a\r\nnetwork. Anti-virus solutions do not help, the only thing that can protect your company is knowledge of how, who,\r\nand with what tools hackers are attacking. That’s why, it is critical to update software in a timely manner and\r\nstudy reports from Threat Intelligence specialists that provide indicators of compromise and modern hacking\r\ntechniques.\r\nSource: https://www.group-ib.com/blog/cobalt\r\nhttps://www.group-ib.com/blog/cobalt\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/cobalt"
	],
	"report_names": [
		"cobalt"
	],
	"threat_actors": [],
	"ts_created_at": 1777605034,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/23e683eb5a3ff85745d1a6c453f7974e9445409a.pdf",
		"text": "https://archive.orkl.eu/23e683eb5a3ff85745d1a6c453f7974e9445409a.txt",
		"img": "https://archive.orkl.eu/23e683eb5a3ff85745d1a6c453f7974e9445409a.jpg"
	}
}