{ "id": "a330cd77-70e8-4dff-b614-ca7cae4d5344", "created_at": "2026-04-06T00:13:10.702443Z", "updated_at": "2026-04-10T03:35:12.397662Z", "deleted_at": null, "sha1_hash": "69e9c88d731857ca7614aba1dfdd36a1538f2515", "title": "Double the Infection, Double the Fun | NETSCOUT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1578897, "plain_text": "Double the Infection, Double the Fun | NETSCOUT\r\nArchived: 2026-04-05 16:27:34 UTC\r\nExecutive Summary\r\nCobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens\r\nof countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers\r\nalso believe they are responsible for a series of attacks on the SWIFT banking system which costs millions in\r\ndamages to the impacted entities. On August 13, ASERT observed the financially-motivated hacking group\r\nactively pushing a new campaign. We believe the targeted institutions for the ongoing campaign are located in\r\neastern Europe and Russia.  The active campaigns utilize spear phishing messages to gain entry. The emails appear\r\nto come from a financial vendor or partner, increasing the likelihood of infection.  The group uses tools that can\r\nbypass Window’s defenses.\r\nNOTE: Arbor APS enterprise security products detect and block all activity noted in this report.\r\nKey Findings\r\nRecent campaigns masquerade as other financial institutions or a financial supplier/partner domain to trick\r\npotential victims into trusting the messages.\r\nTwo phishing targets found.\r\nNS Bank (Russia)\r\nBanca Comercială Carpatica / Patria Bank (Romania)\r\nOne phishing email contains two malicious URLs.\r\nThe first one is a weaponized Word document.  The document contains obfuscated VBA scripts as\r\nopposed to known CVEs used in parallel to this campaign.\r\nThe second one is a binary with a jpg extension.\r\nThe binaries analyzed contained two unique C2 servers we believe are owned and operated by the Cobalt\r\nhacking Group.\r\nDetails\r\nCobalt Group Connection\r\nASERT recently uncovered two different malware samples which we believe connect the active campaigns to\r\nCobalt Group. The first sample, a JavaScript backdoor, shares functionality with previous versions of a similar\r\nbackdoor. The second binary, CobInt/COOLPANTS, is a reconnaissance backdoor as noted by security\r\nresearchers.\r\nJavaScript Backdoor\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 1 of 11\n\nThe JavaScript Backdoor is believed to be a stager for additional payloads.  This stager, previously analyzed by\r\nsecurity researchers from Group-IB, and the JavaScript Backdoor ASERT analyzed exhibits similar functionality\r\nas noted below:\r\nRegistry key settings for persistence\r\nLaunched in an SCT (a scriptlet COM object) called via regsvr32.exe\r\nAn AppLocker by-pass technique (squiblydoo).\r\nUse of RC4 to encrypt traffic\r\nSame type of system information collected\r\nThe C2 command names show striking similarity\r\nThe C2 communication structure is also closely aligned between the two samples\r\nCobInt/COOLPANTS\r\nThe second binary identified by security researchers, dubbed “Recon (CobInt) backdoor”, matched a new sample\r\nASERT identified. A number of binaries came to light after the initial findings of the CobInt backdoor. The\r\nfollowing are a few of these binaries, including the new sample identified by ASERT researchers (Figure 1):\r\nSample: 10d044bc5b8ae607501304e61b2efecb\r\nSecurity Researchers identify a “patient zero” binary and called it CobInt.\r\nListed in a recent report as a tool used by Cobalt Group\r\nSample: d017bf9f6039445bfefd95a853b2e4c4\r\nAn found a sample on July 9, 2018 and called it COOLPANTS.\r\nAppears to be an evolution of CobInt due to similarities in the binary when cross-referenced\r\n28 of the 57 functions matched using Diaphora, a tool that compares binary functions\r\nC2 tied to Cobalt Group reporting: hxxps://apstore[.]info\r\nNew Sample: 616199072a11d95373b3c38626ad4c93\r\nFound by ASERT August 13th 2018\r\nVery similar to COOLPANTS when cross-referencing the binaries:\r\nAll 48 functions under “Best Match” tab in Diaphora\r\nSame compilation time as COOLPANTS: 2018-06-13 20:44:15\r\nC2: rietumu[.]me.\r\nThe sample evolution supports the theory that rietumu[.]me belongs to the Cobalt hacking\r\ngroup.\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 2 of 11\n\nFigure 1. CobInt/COOLPANTS\r\nPhish \u0026 Infrastructure Analysis\r\nAfter inspecting the domain, rietumu[.]me, ASERT uncovered the email address solisariana[@]protonmail[.]com. \r\nPivoting on the email leads to five additional domains each with a creation date of: 2018-08-01.\r\n1. compass[.]plus\r\n2. eucentalbank[.]com\r\n3. europecentalbank[.]com\r\n4. inter-kassa[.]com\r\n5. unibank[.]credit\r\nHunting for samples associated with inter-kassa[.]com leads to a phishing email uploaded to VirusTotal,\r\nd3ac921038773c9b59fa6b229baa6469 (Figure 2). At the time of analysis, VirusTotal scored the phishing email\r\nwith a 0, indicating nothing malicious was identified by the anti-virus engines.   \r\nFigure 2. Phishing Email Header\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 3 of 11\n\nMost of the email content appears benign except for a link embedded in the message. The name “Interkassa”\r\nappears to be a payment processing system which makes it a prime masquerading target for attackers as noted in\r\nthe tactics employed by the Cobalt Group for this ongoing campaign. The links embedded in the phishing email\r\nare as follows:\r\n1. hxxps://download.outlook-368[.]com/Document00591674.doc\r\n1. Live on August 14, 2018\r\n2. hxxp://sepa-europa[.]eu/transactions/id02082018.jpg\r\n1. Not live at time of analysis but a sample matching the full URL was uploaded to VirusTotal.\r\nDocument Infection Chain\r\nPayload Stager: Part One\r\nThe document from the embedded URL in the phishing email, Document00591674.doc\r\n(61e3207a3ea674c2ae012f44f2f5618b), renders a VBA infested word document which continues the infection\r\ncycle once macros are enabled. NOTE: The document requires user permission and/or a policy enabled that\r\nallows Macros to run for a successful launch. The VBA script pieces together a cmd.exe command that launches\r\ncmstp.exe with an INF file (figure 3) allowing to potentially by-pass AppLocker.  The INF file then beacons to\r\ndownload.outlook-368[.]com to download a remote payload that cmstp.exe will execute. \r\nFigure 3. INF File\r\nThe file, info.txt, downloaded from download.outlook-368[.]com is an XML file with an embedded scriptlet tag. \r\nThe XML’s content includes a registration section allowing it to be used as a SCT/COM object (Figure 4).\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 4 of 11\n\n[caption id=\"attachment_9607\" align=\"aligncenter\" width=\"908\"]\r\nFigure 4. COM Object\r\n“cmstp.exe” executes the SCT file, which subsequently drops and launches the JavaScript backdoor dropper\r\nbinary, 31385.txt (e368365bece9fb5b0bc8de1209bab694), disguised as a text file.  For the dropped binary, Cobalt\r\nGroup makes use of another system provided binary to add a layer of stealth and bypass possible protections like\r\nAppLocker by launching it using regsvr32.exe (Figure 5). \r\nThis is consistent with TTPs for this actor. \r\nFigure 5.regsvr32 launching the 31385.txt\r\nThe DLL file, 31385.txt, masquerading as a text file, is the last stage in the infection chain.  The DLL drops the\r\nfinal obfuscated embedded file and launches it using regsvr32.exe before deleting itself (Figure 6).\r\nFigure 6. Final Obfuscated Script\r\nThe above script (Figure 6) is launched using regsvr32.exe:\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 5 of 11\n\nREgSvr32 /S /N /U /I:\"C:/Users/zgSpbU9Lu/AppData/Roaming/7F235861DB0B0024C3.txt\" sCRObJ\r\nThe script ensures persistence by modifying the registry key UserInitMprLoginScript with the following value:\r\nRegxvr32 /S /N /U /I:C:/Users/\u003credact\u003e/AppData/Roaming/EE02EB37AA8.txt ScRObJ\r\nDe-obfuscating the final script renders the C2 along with the RC4 key.  This is the JavaScript backdoor\r\n“more_eggs” which has been analyzed by other researchers over the past few years (Figure 7).\r\nFigure 7. De-Obfuscated JavaScript Backdoor - “More_eggs”\r\nBackdoor “more_eggs” commands:\r\n1. d\u0026exec – Downloads and executes a PE file.\r\n2. more_eggs – Downloads an update for itself.\r\n3. gtfo – Delete itself and related registry entries.\r\n4. more_onion – Executes the “new” copy of itself.\r\n5. vai_x – Executes a command via cmd.\r\nNOTE: Commands 1 – 4 match the commands described in other public reporting.  Command 5 differs in name\r\nonly; what it does remains the same.  The public report shows “more_power” as the name of the fifth command.  \r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 6 of 11\n\nFigure 8: Execution Flow\r\nJPEG Infection Chain\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 7 of 11\n\nFile Execution\r\nThe second URL identified in the phishing email, hxxp://sepa-europa[.]eu/transactions/id02082018.jpg, acts as a\r\nred-herring; id02082018.jpg, 9a87da405a53eaf32f8a24d3abb085af - UPX unpacked, is an executable rather than\r\nan image file.  The sample is littered with junk code that spends CPU cycles before proceeding to de-obfuscate\r\nitself.  The unpacking routine involves overwriting itself in memory with another executable. This overwritten\r\nbinary loads a resource and jumps to the executable code contained in it.  The unpacked binary will fail when\r\nLoadResource is called if it’s not running in the context of the original binary (Figure 9). \r\nFigure 9: LoadResource()\r\nThe loaded shellcode first deobfuscates itself before beaconing to the C2 server for additional payloads or scripts. \r\nFigure 10: C2 Server\r\nAt the time of analysis, the C2 server did not respond; however, there is another binary with the same C2 found in\r\nASERT’s malware zoo which bears a striking resemblance to CobInt.\r\nFull Circle\r\nThe binary, 452903fc857fb98f4339d7ce1884099, makes use of the C2 ibfseed[.]com.  Comparing this binary to\r\nanother CobInt (616199072a11d95373b3c38626ad4c93) sample using Diaphora, ASERT determined this to be\r\nanother CobInt/COOLPANTS sample.  We believe this binary is tied to Cobalt Group using the same\r\nmethodology and binary comparisons as the previously discussed malware samples.  \r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 8 of 11\n\nRomanian Target Spotted\r\nPhish\r\nWorking closely with Intel471, one of our Threat Intelligence partners, we found an additional Cobalt Group\r\nphishing campaign targeting carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA). \r\n“carpatica[.]ro” belongs to Banca Comercială Carpatica, a bank in Romania that merged with Patria Bank in\r\n2017. \r\nFigure 11: Romanian Bank Phish Header\r\nCobalt Group Connection\r\nThe phishing email uncovered by Intel471 downloads 9270ac1e013a3b33c44666a66795d0c0.  The downloaded\r\nfile shares the same PDB string as 1999a718fb9bcf3c5b3e41bf88be9067.  That sample connects to rietumu[.]me,\r\nwhich ASERT identified as belonging to Cobalt Group (Figure 12). \r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 9 of 11\n\nFigure 12: Cobalt Phish Connection\r\nSummary\r\nThis Cobalt Group actor(s) mimic financial entities or their vendors/partners in order to gain a foothold in the\r\ntarget’s network.  Making use of separate infection points in one email with two separate C2s makes this email\r\npeculiar.  One could speculate that this would increase the infection odds.  The actor tries to hide the infection by\r\nusing regsvr32.exe and cmstp.exe, which are both known for by-passing AppLocker (configuration dependent). \r\nASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based\r\non the observables in this campaign and their normal modus operandi.  ASERT also recommends that employees\r\nare trained to spot phishing emails and, where possible, closely inspect emails for look-alike domains that might\r\ncontain malicious attachments or links.  \r\nIOCs\r\n10D044BC5B8AE607501304E61B2EFECB - CobInt d017bf9f6039445bfefd95a853b2e4c4 - COOLPANTS\r\n616199072a11d95373b3c38626ad4c93 – Coblnt/COOLPANTS (ASERT Sample)\r\nd3ac921038773c9b59fa6b229baa6469 - Email 61e3207a3ea674c2ae012f44f2f5618b - Document00591674.doc\r\ne368365bece9fb5b0bc8de1209bab694 – DLL File 3452903fc857fb98f4339d7ce1884099 – CobInt/COOLPANTS\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 10 of 11\n\n(ASERT Sample) 9a87da405a53eaf32f8a24d3abb085af – id02082018.jpg (UPX Unpacked)\r\nf3bb3e2c03f3976c107de88b43a22655 – id02082018.jpg (UPX Packed) a3b705ce3d677361a7a9b2b0bdf04a04 –\r\nEmail (carpatica) attachment eb93c912e4d3ecf52615b198c44771f4 – Email (carpatica)\r\n9270ac1e013a3b33c44666a66795d0c0 - Email (carpatica)Downloaded 1999a718fb9bcf3c5b3e41bf88be9067  \r\nhxxps://help-desc-me[.]com hxxps://apstore[.]info hxxps://rietumu[.]me hxxps://ww3.cloudfront[.]org[.]kz\r\nhxxp://download.outlook-368[.]com hxxps://ibfseed[.]com   compass[.]plus eucentalbank[.]com\r\neuropecentalbank[.]com inter-kassa[.]com unibank[.]credit sepacloud[.]eu sepa-cloud[.]com\r\nSource: https://www.netscout.com/blog/asert/double-infection-double-fun\r\nhttps://www.netscout.com/blog/asert/double-infection-double-fun\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netscout.com/blog/asert/double-infection-double-fun" ], "report_names": [ "double-infection-double-fun" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775792112, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69e9c88d731857ca7614aba1dfdd36a1538f2515.pdf", "text": "https://archive.orkl.eu/69e9c88d731857ca7614aba1dfdd36a1538f2515.txt", "img": "https://archive.orkl.eu/69e9c88d731857ca7614aba1dfdd36a1538f2515.jpg" } }