{ "id": "0eacf00c-17c0-49e4-b563-28edeed1712f", "created_at": "2026-04-06T00:09:22.698637Z", "updated_at": "2026-04-10T13:12:45.688526Z", "deleted_at": null, "sha1_hash": "5458e137285d33c18cc85b16a58064ce4275c530", "title": "Cobalt Group - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75258, "plain_text": "Cobalt Group - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 12:00:46 UTC\r\nNamesCobalt Group (Group-IB)\r\nCobalt Gang (Palo Alto)\r\nCobalt Spider (CrowdStrike)\r\nGold Kingswood (SecureWorks)\r\nATK 67 (Thales)\r\nTAG-CR3 (Recorded Future)\r\nMule Libra (Palo Alto)\r\nG0080 (MITRE) Country Russia MotivationFinancial crime First seen2016 DescriptionCobalt Group is a\r\nfinancially motivated threat group that has primarily targeted financial institutions. The group has conducted\r\nintrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems.\r\nCobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. The group has been\r\nknown to target organizations in order to use their access to then compromise additional victims. Reporting\r\nindicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak,\r\nAnunak. ObservedSectors: Financial, High-Tech, Media, Retail.\r\nCountries: Argentina, Armenia, Austria, Azerbaijan, Belarus, Bulgaria, Canada, China, Czech, Estonia, Georgia,\r\nItaly, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Malaysia, Moldova, Netherlands, Poland, Romania, Russia, Spain,\r\nTaiwan, Tajikistan, Thailand, Turkey, UK, Ukraine, USA, Vietnam. Tools usedATMSpitter, ATMRipper, AtNow,\r\nCobalt Strike, CobInt, Cyst Downloader, FlawedAmmyy, Formbook, Little Pig, Mimikatz, Metasploit Stager,\r\nMore_eggs, NSIS, Pony, SDelete, SoftPerfect Network Scanner, Taurus Loader, ThreatKit, VenomKit. Operations\r\nperformedJun 2016In June 2016, the first attack conducted by the Cobalt group was tracked at a large Russian\r\nbank, where hackers attempted to steal money from ATMs. The attackers infiltrated the bank’s network, gained\r\ncontrol over it, compromised the domain administrator’s account, and reached the ATM control server.\r\n\u003chttps://www.group-ib.com/blog/cobalt\u003e Jul 2016ATM heist at the First Commercial Bank in Taiwan\r\n\u003chttps://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX\u003e Aug 2016ATM heist at the Government Saving Bank in Thailand\r\nThaiCERT's whitepaper:\r\n\u003chttps://www.dropbox.com/s/1xvhee0s7o12i61/Whitepaper ATM Heist GSB August 2016.pdf?dl=0\u003e May 2017In\r\nMay, Proofpoint observed multiple campaigns using a new version of Microsoft Word Intruder (MWI). MWI is a\r\ntool sold on underground markets for creating exploit-laden documents, generally used in targeted attacks. We\r\npreviously reported about MWI when it added support for CVE-2016-4117. After the latest update, MWI is now\r\nusing CVE-2017-0199 to launch an HTML Application (HTA) used for both information collection and payload\r\nexecution.\r\nThis activity targets organizations in the financial vertical including banks, banking software vendors, and ATM\r\nsoftware and hardware vendors. The emails are sent to technology and security personnel working in departments\r\nincluding Fraud and Information Security.\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\u003e Aug 2017The first spam run on August 31 used a Rich Text Format (RTF) document laden\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8339e9a-c946-4304-aac4-722d8652d273\r\nPage 1 of 2\n\nwith malicious macros. The second, which ran from September 20 to 21, used an exploit for CVE-2017-8759\n(patched last September), a code injection/remote code execution vulnerability in Microsoft’s .NET Framework.\nThe vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled.\nNov 2017On Tuesday, November 21, a massive spear-phishing campaign began targeting individual\nemployees at various financial institutions, mostly in Russia and Turkey. Purporting to provide info on changes to\n‘SWIFT’ terms, the email contained a single attachment with no text in the body. It was an attempt by the Cobalt\nGroup to gain a foothold in the networks of the targeted individuals’ organizations\nJan 2018Spear-phishing attacks to Russian banks\nThe emails were sent in the name of a large European bank in an attempt to social engineer the receiver into\ntrusting the email. The emails were quite plain with only a single question in the body and an attachment with the\nname once.rtf. In other cases, we saw a file with the name Заявление.rtf attached to an email that was also written\nin Russian.\nMay 2018On May 23, 1:21 p.m\n(Moscow time) Group-IB tracked a new large-scale Cobalt cyberattack on the leading banks of Russia and the\nCIS. It was like a challenge: phishing emails were sent acting as a major anti-virus vendor. Bank employees\nreceived a “complaint”, in English, that their computers allegedly violated legislation.\nSep 2018In 2018, CTU researchers observed several GOLD\nKINGSWOOD campaigns involving SpicyOmelette, a tool used by the group during initial exploitation of an\norganization. This sophisticated JavaScript remote access tool is generally delivered via phishing, and it uses\nmultiple defense evasion techniques to hinder prevention and detection activities.\nOct\n2018One of the latest examples related to the campaign under analysis was used in attacks just a few days ago. It\nshows the simplicity of the attack delivery employed by this group.\nThe attack reinforces the fact that email is still one of the primary attack vectors we continuously observe. This\nattack begins by targeting employees at several banking entities across the globe using an email with subject\n“Confirmations on October 16, 2018”.\nOct 2019Magecart Group 4: A link with Cobalt Group?\nCounter\noperationsMar 2018Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain\nAug 2018Three Carbanak cyber heist gang members arrested\nInformation MITRE ATT\u0026CK Playbook Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8339e9a-c946-4304-aac4-722d8652d273\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8339e9a-c946-4304-aac4-722d8652d273\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8339e9a-c946-4304-aac4-722d8652d273" ], "report_names": [ "showcard.cgi?u=d8339e9a-c946-4304-aac4-722d8652d273" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5458e137285d33c18cc85b16a58064ce4275c530.pdf", "text": "https://archive.orkl.eu/5458e137285d33c18cc85b16a58064ce4275c530.txt", "img": "https://archive.orkl.eu/5458e137285d33c18cc85b16a58064ce4275c530.jpg" } }