{
	"id": "ab5e8b62-588c-44d0-83c2-0cc8c60342ce",
	"created_at": "2026-05-01T03:10:29.989664Z",
	"updated_at": "2026-05-01T03:10:50.730886Z",
	"deleted_at": null,
	"sha1_hash": "841975aef451f4f7dcefa0e55c27eaf8f1906a70",
	"title": "Cobalt Renaissance",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126493,
	"plain_text": "Cobalt Renaissance\r\nArchived: 2026-05-01 02:48:48 UTC\r\nOn March 26, 2018, Europol reported the arrest of the Cobalt gang leader in Alicante, Spain. The Bank of Russia\r\nnamed Cobalt as the main threat to banks. The scale of its activities is fascinating: according to Europol, the\r\ngroup has been linked to thefts of approximately one billion euros from 100 banks in 40 countries: Russia, the\r\nUnited Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova,\r\nKyrgyzstan, Armenia, Taiwan and Malaysia. But, in spite of the arrest of Cobalt’s group leader, and (a little\r\nearlier) that of the head of the money mules group and several of his aides, remaining hackers continue to attack\r\nbanks. Therefore, it is far too soon to dismiss Cobalt.\r\nOn May 23, 1:21 p.m (Moscow time) Group-IB tracked a new large-scale Cobalt cyberattack on the leading banks\r\nof Russia and the CIS. It was like a challenge: phishing emails were sent acting as a major anti-virus vendor. Bank\r\nemployees received a “complaint”, in English, that their computers allegedly violated legislation. The users were\r\nasked to carefully read the attached email and provide detailed explanations. If a response was not received within\r\n48 hours, the “anti-virus company” threatened to impose sanctions on the recipient’s web resources. In order to\r\ndownload the email, the user was asked to follow a link, which would then infect the Bank employee’s computer.\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 1 of 9\n\nhttps://www.group-ib.com/blog/renaissance\r\nPage 2 of 9\n\nGroup-IB experts found a connection between the emails and Cobalt quite quickly: the unique Trojan “Coblnt”,\r\nwhich has been in the inventory of the group since the end of December 2017, was involved in the attack. The\r\nemails were sent from a domain titled “kaspersky-corporate[.]com. Upon review it was discovered that this\r\ndomain name was registered by a person with the same name as with previously registered domains for Cobalt\r\nattacks.\r\nHowever, there were peculiarities: the anti-virus vendor name was being used for the first time, and the first wave\r\nof emails contained an empty ThreadKit exploit without any payload. Previously, the Cobalt hackers did not make\r\nsuch mistakes. However, after finding the error, the attackers corrected it.\r\nThe targets of this cyberattack might not only have been banks in Russia and the CIS: the phishing email was\r\nwritten in English, suggesting western banks as targets. The list of previously targeted emails, which was analyzed\r\nby Group-IB experts, contained the addresses of over 80 organizations, including banks, mass media, insurance\r\ncompanies, IT companies all over the world.\r\nAgain, the company’s experts rate the quality of phishing emails as high, the text in English is stylized as a “legal\r\ncomplaint”, the fake website kaspersky-corporate[.]com also has a high level of quality, which is not typical of\r\nCobalt. These and other signs again pointed to the possibility that the remaining members of the Cobalt group\r\nwere conducting a joint operation with other criminal groups, in particular, Anunak.\r\nDetailed information with technical indicators of the groups’ operation is provided in the report “Cobalt:\r\nEvolution and Joint Operations”.\r\nTechnical overview\r\nOn May 23, 2018, phishing emails were sent from the following mailboxes:\r\nrecive@kaspersky-corporate[.]com\r\ninfo@kaspersky-corporate[.]com\r\nr.levis@kaspersky-corporate[.]com\r\nSubject: “Technical Support”\r\nThe kaspersky-corporate[.]com domain name was registered on May 21, 2018, and at the moment it is resolved to\r\nthe IP address 172.217.22[.]110. Previously, it was resolved to 194.58.112[.]174 and 62.76.40[.]207.\r\nThe address of the mail server from which the emails were sent, mail.kaspersky-corporate.com, has an IP address:\r\n62.76.40[.]207.\r\nThe email contains a link to the Complaint.doc file (hxxps://kaspersky-security[.]com/Complaint.doc). After\r\nclicking the link, the user receives .doc exploit, generated by ThreadKit framework.\r\nComplaint.doc\r\nMD5 fa354151a3fc6d0dce69e8eeaa8cd197\r\nSize 192706 bytes\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 3 of 9\n\nHowever, the attacker made a mistake and forgot to configure the exploit build, which meant that the exploit was\r\nempty and did not install anything in the system. Moreover, the hackers did not change the standard decoy\r\ndocument set by the author by default. After opening an exploit, the error page was displayed.\r\nThe kaspersky-security.com domain name was registered on May 8 2018, and is resolved to: 91.230.121[.]86.\r\nLater, the link led to the Complaint.scr file, CobInt.Downloader, which was the usual executable:\r\nMD5 7b55c7ae346efb428aaf63d25ca0fcc7\r\nsize 278016 bytes\r\nCompiled on May 18, 2018.\r\nThis program, classified as CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has\r\ncapabilities to collect initial intelligence information about the compromised machine and stream video from its\r\ndesktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike\r\nframework stager.\r\nCobInt has C\u0026C at foxsecit.com [185.86.79[.]156], and the domain was registered on May 18, 2018.\r\nIt is worth noting that the domain names kaspersky-security[.]com and foxsecit[.]com are registered by a person\r\nwith the same name as with previously registered ibm-notice[.]com, which the Cobalt group used in March. And it\r\nin turn is associated with the domains spamhuas[.]com и hoteltoren[.]com.\r\nAnd the domains hoteltoren[.]com, dns-verifon[.]com, spam-huas[.]com, used by the Cobalt group to attack hotels\r\nand aggregators, confirm the fact that Cobalt hackers can diversify and extend their activities.\r\nConsidering that the latest attacks by the Anunak/Carbanak group were also targeting a number of hotels in order\r\nto obtain card data, the probability of a connection between these two hacker groups is high. This fact is not the\r\nmain reason to link these groups, but it additionally confirms our hypothesis of their joint operation in 2017.\r\nIn our new report on Cobalt activities, we revealed the relationship between these two criminal groups, and\r\ncarefully considered the joint attack on the banks.\r\nIndicators:\r\narrow_drop_down\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 4 of 9\n\nfoxsecit[.]com\r\n185.86.79[.]156\r\nkaspersky-security[.]com\r\n91.230.121[.]86\r\nibm-notice[.]com\r\n37.1.212[.]129\r\n37.1.211[.]165\r\n162.243.38[.]176\r\n162.243.38[.]178\r\nhoteltoren[.]com\r\n172.81.132[.]131\r\nkaspersky-corporate[.]com\r\n194.58.112[.]174\r\n62.76.40[.]207\r\n172.217.22[.]110\r\nmail.kaspersky-corporate[.]com\r\nibm-cert[.]com\r\n138.197.128[.]24\r\nibm-warning[.]com\r\nibm-notice[.]com\r\ndns-verifon[.]com\r\n107.181.160[.]16\r\nspamhuas[.]com\r\nswift-sipn[.]info\r\n85.143.166[.]158\r\nswift-fraud[.]com\r\n62.76.179[.]147\r\n185.86.78[.]139\r\n85.143.166[.]99\r\ncloud.yourdocument[.]biz\r\n31.148.219[.]177\r\necb-europa[.]info\r\n62.76.179[.]110\r\nsecure.n-document[.]biz\r\n185.180.196[.]53\r\napi.toshiba.org[.]kz\r\n31.148.219[.]195\r\n7b55c7ae346efb428aaf63d25ca0fcc7\r\nfa354151a3fc6d0dce69e8eeaa8cd197\r\ne5795f4418b28888a287e976f741dfbe\r\nrecive@kaspersky-corporate[.]com\r\ninfo@kaspersky-corporate[.]com\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 5 of 9\n\nr.levis@kaspersky-corporate[.]com\r\nv.constancio@ecb-europa[.]info\r\nadmin@swift-sipn[.]info\r\nJoint operations\r\nThe report, “Cobalt: Evolution and Joint Operations”, provides an analysis of the development of one of the\r\nmost aggressive hacker groups responsible for financial damage to banks and financial services organizations in\r\nthe Americas, Europe, Middle East and South East Asia.\r\nCobalt has continued target internal financial services systems to steal from Card Processing, ATMs, payment\r\ngateways and SWIFT systems. Group-IB experts provide insights in our reporting directly from first hand incident\r\nresponse and covers their activity from the beginning of their operations in 2016.\r\nFirst success\r\nThe Cobalt group first committed thefts through SWIFT in Hong Kong, in the spring of 2016, and then in\r\nUkraine. Millions of dollars were stolen in both cases, which required technologies and contacts with money\r\nmules that would be able to transfer large amounts of money withdrawn through SWIFT. These, and other factors,\r\nsuggest that the group probably did not act on its own.\r\nAfter the Ukrainian episode, attacks involving the system of interbank transfers suddenly ceased. The Cobalt\r\ngroup switched to attacks on banks through card processing and ATMs, which was much simpler and safer for\r\nmules (people who deal with cash withdrawals). Cobalt’s first major independent success was the attack on First\r\nBank in Taiwan, where the hackers managed to steal $2.18 million. In September 2016, Cobalt gained access to a\r\nbank in Kazakhstan. It took two months to prepare for the attack and explore the bank’s infrastructure. In\r\nNovember, Cobalt successfully stole about $600,000 through card processing. These attacks were then perfected\r\nand intensified. In 2017 the Cobalt group set “personal best” in attempting to steal EUR25 million from a\r\nEuropean bank via card processing.\r\nCobalt only conducted new attacks on SWIFT 18 months after the April 2016 incidents. In December 2017 for the\r\nfirst time in Russia, they made a successful attack on a bank through SWIFT. This incident was the first SWIFT\r\ntheft in the history of the Russian banking industry. For a considerable time, Cobalt’s continued success was\r\nbecause the hackers constantly tested new tools and schemes, often changing the location of attacks and\r\nfamiliarizing themselves with how internal banking systems functioned. After gaining access to computers on a\r\ntarget bank, Cobalt often spent three to four weeks to study the internal infrastructure of the organization,\r\ncollecting information about and observing the function of payments systems, and only then conducting their\r\nattack. The average damage from each successful attack was 1.5 million USD based on incident response\r\nconducted by Group-IB and publicly disclosed estimates from Europol.\r\nIn 2018, major strides were made to disrupt Cobalt group’s operations when the leader was arrested by Europol\r\nand local law enforcement in Alicante, Spain. Following this arrest, Group-IB has continued to monitor new\r\nactivity from the group, including attacks on March 10th, March 15th and even on the day of the announced\r\narrest, March 26th with spear phishing emails sent to organizations acting as SpamHaus, a non-profit organization\r\nthat fights against spam.\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 6 of 9\n\nM \u0026 A\r\nGroup-IB has been investigating targeted attacks and cybercrime for over 15 years. Through incident response and\r\njoint investigations with law enforcement, we have monitored joint operations of various cybercriminal groups\r\nand the recruitment of individual hackers to commit attacks on banks and other organizations. We expect that this\r\ntrend will only intensify over the coming years. This report publicly discloses the joint operations of the Cobalt\r\nGroup and Anunak (Carbanak) which were identified privately before arrests, and provides an overview of their\r\nkey attacks in the period 2016 – 2017.\r\nIn 2016, Group-IB released the first public report on Cobalt providing detailed information on their attacks, which\r\nis available online. This attributed the appearance of the Cobalt group with the termination of another infamous\r\ngang – Buhtrap. There was a three month break between the last Buhtrap attack and the first Cobalt attack.\r\nIn these three months, Cobalt prepared infrastructure and committed thefts through SWIFT in Hong Kong and\r\nUkraine. We were confident that Cobalt was involved in these attacks because of the unique loader (stager). It was\r\nfound in these incidents and has only been used by Cobalt. However, these attacks as well as their method of\r\ncashing out money were surprisingly sophisticated. This indicated that Cobalt group did not act alone.\r\nCommunication with the Anunak group was discovered only 18 months later (in 2017), when during incident\r\nresponse we detected the same unique SSH backdoor that was employed by the Carbanak group in 2014.\r\nArms Race\r\nIn 2017, Cobalt invested heavily into their technology – from reverse engineering of malware samples, it appears\r\nlikely they enlisted a team of developers who created new tools for Cobalt group, and adjusted exploits in order to\r\nevade detection by security vendors.\r\nTheir work allowed Cobalt to act more efficiently: hours after PoCs for 1-day exploits were posted publicly,\r\nCobalt group began using modified versions in attacks on banks and updated them in real time to avoid detection.\r\nNew tools and tactics allowed them to attack their targets – SWIFT, card processing, and payment gateways –\r\nwith more success and set a “personal best” in attempting to steal over 25 million EUR from a European bank via\r\ncard processing.\r\nNew tools and modified programs employed by Cobalt in 2017 are described\r\nbelow:\r\nPetya\r\narrow_drop_down\r\nCobalt encrypted the network of one small bank in Russia using this now well- known ransomware. After they\r\nfailed to steal money through card processing, hackers used a self-developed modification of Petya ransomware\r\nnamed PetrWrap. This low- level modification is written in C. It is worth noting that to create such modification\r\nthe author should be able to disassemble and clearly understand how and what they want to modify, which\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 7 of 9\n\nindicates a high level of technical skills. The majority of computers in the bank’s network were disabled, which\r\nmildly complicated incident response and investigation.\r\nJS-backdoor\r\narrow_drop_down\r\nIn May, they began testing a new tool, the PE library (DLL), which was used as a reconnaissance module.\r\nHowever, this tool was never employed by the group, as they shifted to test a new JavaScript backdoor, which was\r\ndesigned to perform reconnaissance and complicate their discovery and analysis. This backdoor was used for the\r\nfirst time in attacks leveraging compromised servers of an integrator in the US. The malware was delivered\r\nthrough high-quality phishing emails with real reports from the SWIFT system attached. The program was used in\r\nattacks not only in the CIS countries and Eastern Europe, but also for attacks on western English-speaking\r\ncompanies.\r\nInfoStealer\r\narrow_drop_down\r\nIn September Cobalt implemented JavaScript backdoor functionality in the executable file, but without the ability\r\nto load and run. In September attack they used InfoStealer 0.2. This only exists in memory and does not leave\r\ntraces in the file system. This tool was employed in attacks on insurance agencies, the media, and software\r\ndevelopers, whose compromised infrastructure was further used for attacks on banks.\r\nRecon Backdoor (CobInt)\r\narrow_drop_down\r\nIn December, they started using a new Java loader, generated by the CobaltStrike framework, but with a unique\r\npayload that loads a unique Recon backdoor Coblnt. The backdoor receives the modules from the C\u0026C server for\r\nfurther execution. This complicated attack vector is very similar to the tactics used in targeted attacks by\r\nprofessional state-sponsored attackers and the Lurk group.\r\nSupply chain attacks and non-typical targets\r\nA major change in the tactics of Cobalt was the shift towards indirect attacks. In February 2017, we tracked the\r\nfirst successful attack on a system integrator, which was then used as a vehicle by Cobalt for further attacks on\r\ncompanies in Russia, Kazakhstan, Moldova, as well as their subsidiaries in other countries. During the next 9\r\nmonths, Cobalt infiltrated at least four integrators located in Ukraine, the US, and Russia.\r\nIn March 2017, Cobalt began to prepare attacks on companies that provide electronic wallets and payment\r\nterminals. In April, they adopted an attack scheme and created a unique program to automatically generate\r\nfraudulent payments through payment gateways. In September, the group for the first time attacked an e-wallet\r\nvendor and successfully stole funds through a payment gateway. In this incident Group-IB was able to discover\r\nclear evidence of Carbanak involvement.\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 8 of 9\n\nMore recently, the group has begun to attack insurance agencies and the media. In these attacks, they obtain\r\ncontrol of mail servers or accounts to further use the victim’s infrastructure for attacks on banks.\r\nCobalt: reboot\r\nCobalt returned in 2018 in fine form – both in terms of technology and infrastructure. The March arrest of the\r\nCobalt gang leader in Spain has not yet led to the conclusion of attacks against financial institutions by this group.\r\nRemaining members reduced their activity in Russia and the CIS, temporarily focusing on other regions. It is\r\ninteresting to note that phishing emails, which were tracked in March, purported to be from US companies, for\r\nexample, IBM, Verifon, Spamhaus:\r\nOn March 7-10, letters were sent from the domains ibm-cert.com, ibm-warning.com, ibm- notice.com.\r\nOn March 15, a new phishing campaign was detected – hackers employed the dns-verifon. com domain,\r\nleveraging the brand of VeriFon, the largest vendor of POS terminals.\r\nOn March 26, phishing emails were sent acting as SpamHaus, a well-known non-profit organization that fights\r\nagainst spam and phishing. For this campaign, the attackers registered the spamhuas.com domain, which is\r\nindistinguishable from the official one (spamhaus. org).\r\nOn April 3, emails sent from the compromised mail server of the Swedish company were tracked.\r\nOn May 18, Cobalt sent emails from the name of SWIFT with JS backdoor, previously used in the Cobalt’s attack\r\nagainst USA and Europe banks.\r\nOn May 23, Group-IB tracked a new large-scale Cobalt cyberattack on the leading banks of Russia and the CIS. It\r\nwas like a challenge: phishing emails were sent acting as a major anti-virus vendor.\r\nOn May 28, hackers sent emails as European Central Bank with JS-backdoor.\r\nGiven the technological evolution of the group and the fact that in spite of the arrests of the Cobalt gang leader\r\nand malware writer, Cobalt has continued to strike, the most likely scenario is that remaining Cobalt members will\r\njoin existing groups or a fresh “redistribution” will result in a new cybercriminal organization ‘Cobalt 2.0’\r\ncontinuing attacks on banks worldwide.\r\nSource: https://www.group-ib.com/blog/renaissance\r\nhttps://www.group-ib.com/blog/renaissance\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/renaissance"
	],
	"report_names": [
		"renaissance"
	],
	"threat_actors": [],
	"ts_created_at": 1777605029,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/841975aef451f4f7dcefa0e55c27eaf8f1906a70.pdf",
		"text": "https://archive.orkl.eu/841975aef451f4f7dcefa0e55c27eaf8f1906a70.txt",
		"img": "https://archive.orkl.eu/841975aef451f4f7dcefa0e55c27eaf8f1906a70.jpg"
	}
}