{ "id": "58e8a90a-6918-436a-9eb9-934ae3594fb9", "created_at": "2026-04-06T00:15:26.875115Z", "updated_at": "2026-04-10T13:11:55.299309Z", "deleted_at": null, "sha1_hash": "f0f6ff2557c0869c98d3e02427b666852d180b6a", "title": "Magecart Group 4: A link with Cobalt Group?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1419490, "plain_text": "Magecart Group 4: A link with Cobalt Group?\r\nBy Threat Intelligence Team\r\nPublished: 2019-10-02 · Archived: 2026-04-05 22:57:10 UTC\r\nAbout Cobalt Group\r\nCobalt Group came to the forefront of public attention in summer 2016 with their “jackpotting” attacks against\r\nfinancial institutions in Europe, which reportedly netted the group over $3 million. Since that time, they have\r\npurportedly amassed over a billion dollars from global institutions, evolving their tactics, techniques, and\r\nprocedures as they go.\r\nCobalt Domain Registration and other TTPs\r\nWhile changing tactics as they have evolved, an identifiable pattern in email naming conventions historically used\r\nby Cobalt allowed HYAS to not only identify previous campaign domains, but helped link Cobalt Group\r\ncampaigns to the Magecart domains identified above.\r\nA small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly\r\nusing protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 1 of 31\n\nconvention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the\r\nsame use of privacy protection services.\r\nGiven the use of privacy services for all the domains in question, it is highly unlikely that this naming convention\r\nwould be known to any other actor besides those who registered both the Cobalt Group and Magecart\r\ninfrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the\r\nseemingly separate accounts reused only two different IP addresses, even over weeks and months between\r\nregistrations.\r\nOne of those emails is petersmelanie@protonmail.com, which was used to register 23 domains, including\r\nmy1xbet[.]top. This domain was used in a phishing campaign leveraging CVE-2017-0199 with a decoy document\r\ncalled Fraud Transaction.doc.\r\nThe same petersmelanie@protonmail.com also registered oracle-business[.]com. Similar campaigns against\r\nOracle and various banks have been attributed to Cobalt Group, with, for example, the domain oracle-system[.]com.\r\nA growing threat requires ongoing work\r\nBased on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others,\r\nit’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts\r\nagainst global financial institutions.\r\nThe use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart\r\ncompromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 2 of 31\n\nthis significant and growing threat. On that note, the authors of this post would like to recognize the substantial\r\ncontribution that industry researchers and law enforcement officials are making to combat groups like Cobalt, and\r\nhope that the information contained within adds to this corpus of knowledge and further strengthens these efforts.\r\nIndicators of Compromise (IOCs)\r\nClient-side skimmer\r\nurlscan.io archive\r\nServer-side skimmer\r\nurlscan.io archive\r\nRegistrant emails associated with Magecart Group 4 domains\r\nrobertbalbarran@protonmail.com\r\njosemhansen@protonmail.com\r\njamesncharette@protonmail.com\r\npaulajwilson@protonmail.com\r\ncharliesdiaz@protonmail.ch\r\njohnnware@keemail.me\r\neverettgsullivan@tutanota.com\r\nkellymwise@protonmail.ch\r\nmichaelslantigua@keemail.me\r\nbeverlybshubert@protonmail.com\r\ncarolynkwoosley@protonmail.com\r\njohnnysramirez@tutanota.com\r\nnormajhollins@tutamail.com\r\ntimothykasten@protonmail.com\r\ngladysjhipp@protonmail.com\r\nguykmcdonald@protonmail.com\r\njohndroy@outlook.com\r\nRegistrant emails associated with Cobalt domains\r\npetersmelanie@protonmail.com\r\njasoncantrell1996@protonmail.com\r\nCobalt domains registered with Magecart email naming convention\r\noracle-business[.]com\r\nmy-1xbet[.]com\r\nsbeibank[.]online\r\ncuracaoegaming[.]site\r\nmy1xbet[.]top\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 3 of 31\n\nnewreg[.]site\r\nsbepbank[.]com\r\norkreestr[.]com\r\norkreestr[.]host\r\nsbersafe[.]top\r\naoreestr[.]site\r\nnewreg[.]host\r\nsbeibank[.]com\r\nsbelbank[.]com\r\naoreestr[.]online\r\ncuracaoegaming[.]online\r\nsbepbank[.]online\r\nsbelbank[.]online\r\ncuracao-egaming[.]online\r\nmy1xbet[.]online\r\norkreestr[.]press\r\nnewreg[.]online\r\naoreestr[.]com\r\nPrevious FIN7 domains identified through naming conventions\r\nakamaiservice-cdn[.]com\r\nappleservice-cdn[.]com\r\nbing-cdn[.]com\r\nbooking-cdn[.]com\r\ncdn-googleapi[.]com\r\ncdn-skype[.]com\r\ncdn-yahooapi[.]com\r\ncdnj-cloudflare[.]com\r\ncisco-cdn[.]com\r\ncloudflare-cdn-r5[.]com\r\ndigicert-cdn[.]com\r\nexchange-cdn[.]com\r\nfacebook77-cdn[.]com\r\nglobaltech-cdn[.]com\r\ngmail-cdn3[.]com\r\ngoogl-analytic[.]com\r\ngoogle-services-s5[.]com\r\nhpservice-cdn[.]com\r\ninfosys-cdn[.]com\r\ninstagram-cdn[.]com\r\nlive-cdn2[.]com\r\nlogitech-cdn[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 4 of 31\n\nmsdn-cdn[.]com\r\nmsdn-update[.]com\r\nmse-cdn[.]com\r\nmse-cdn[.]com\r\npci-cdn[.]com\r\nrealtek-cdn[.]com\r\nservicebing-cdn[.]com\r\nservicebing-cdn[.]com\r\ntesting-cdn[.]com\r\ntw32-cdn[.]com\r\nvmware-cdn[.]com\r\nwindowsupdatemicrosoft[.]com\r\nyahooservices-cdn[.]com\r\nEmail addresses used to register Magecart domains belonging to Magecart Group 4 contain a [first name],\r\n[initial], and [last name]. Expanding our search to other domains used by Group 4 and searching through HYAS’\r\nComox data set, we see this trend continues:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 5 of 31\n\nAbout Cobalt Group\r\nCobalt Group came to the forefront of public attention in summer 2016 with their “jackpotting” attacks against\r\nfinancial institutions in Europe, which reportedly netted the group over $3 million. Since that time, they have\r\npurportedly amassed over a billion dollars from global institutions, evolving their tactics, techniques, and\r\nprocedures as they go.\r\nCobalt Domain Registration and other TTPs\r\nWhile changing tactics as they have evolved, an identifiable pattern in email naming conventions historically used\r\nby Cobalt allowed HYAS to not only identify previous campaign domains, but helped link Cobalt Group\r\ncampaigns to the Magecart domains identified above.\r\nA small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly\r\nusing protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted\r\nconvention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the\r\nsame use of privacy protection services.\r\nGiven the use of privacy services for all the domains in question, it is highly unlikely that this naming convention\r\nwould be known to any other actor besides those who registered both the Cobalt Group and Magecart\r\ninfrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the\r\nseemingly separate accounts reused only two different IP addresses, even over weeks and months between\r\nregistrations.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 6 of 31\n\nOne of those emails is petersmelanie@protonmail.com, which was used to register 23 domains, including\r\nmy1xbet[.]top. This domain was used in a phishing campaign leveraging CVE-2017-0199 with a decoy document\r\ncalled Fraud Transaction.doc.\r\nThe same petersmelanie@protonmail.com also registered oracle-business[.]com. Similar campaigns against\r\nOracle and various banks have been attributed to Cobalt Group, with, for example, the domain oracle-system[.]com.\r\nA growing threat requires ongoing work\r\nBased on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others,\r\nit’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts\r\nagainst global financial institutions.\r\nThe use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart\r\ncompromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against\r\nthis significant and growing threat. On that note, the authors of this post would like to recognize the substantial\r\ncontribution that industry researchers and law enforcement officials are making to combat groups like Cobalt, and\r\nhope that the information contained within adds to this corpus of knowledge and further strengthens these efforts.\r\nIndicators of Compromise (IOCs)\r\nClient-side skimmer\r\nurlscan.io archive\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 7 of 31\n\nServer-side skimmer\r\nurlscan.io archive\r\nRegistrant emails associated with Magecart Group 4 domains\r\nrobertbalbarran@protonmail.com\r\njosemhansen@protonmail.com\r\njamesncharette@protonmail.com\r\npaulajwilson@protonmail.com\r\ncharliesdiaz@protonmail.ch\r\njohnnware@keemail.me\r\neverettgsullivan@tutanota.com\r\nkellymwise@protonmail.ch\r\nmichaelslantigua@keemail.me\r\nbeverlybshubert@protonmail.com\r\ncarolynkwoosley@protonmail.com\r\njohnnysramirez@tutanota.com\r\nnormajhollins@tutamail.com\r\ntimothykasten@protonmail.com\r\ngladysjhipp@protonmail.com\r\nguykmcdonald@protonmail.com\r\njohndroy@outlook.com\r\nRegistrant emails associated with Cobalt domains\r\npetersmelanie@protonmail.com\r\njasoncantrell1996@protonmail.com\r\nCobalt domains registered with Magecart email naming convention\r\noracle-business[.]com\r\nmy-1xbet[.]com\r\nsbeibank[.]online\r\ncuracaoegaming[.]site\r\nmy1xbet[.]top\r\nnewreg[.]site\r\nsbepbank[.]com\r\norkreestr[.]com\r\norkreestr[.]host\r\nsbersafe[.]top\r\naoreestr[.]site\r\nnewreg[.]host\r\nsbeibank[.]com\r\nsbelbank[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 8 of 31\n\naoreestr[.]online\r\ncuracaoegaming[.]online\r\nsbepbank[.]online\r\nsbelbank[.]online\r\ncuracao-egaming[.]online\r\nmy1xbet[.]online\r\norkreestr[.]press\r\nnewreg[.]online\r\naoreestr[.]com\r\nPrevious FIN7 domains identified through naming conventions\r\nakamaiservice-cdn[.]com\r\nappleservice-cdn[.]com\r\nbing-cdn[.]com\r\nbooking-cdn[.]com\r\ncdn-googleapi[.]com\r\ncdn-skype[.]com\r\ncdn-yahooapi[.]com\r\ncdnj-cloudflare[.]com\r\ncisco-cdn[.]com\r\ncloudflare-cdn-r5[.]com\r\ndigicert-cdn[.]com\r\nexchange-cdn[.]com\r\nfacebook77-cdn[.]com\r\nglobaltech-cdn[.]com\r\ngmail-cdn3[.]com\r\ngoogl-analytic[.]com\r\ngoogle-services-s5[.]com\r\nhpservice-cdn[.]com\r\ninfosys-cdn[.]com\r\ninstagram-cdn[.]com\r\nlive-cdn2[.]com\r\nlogitech-cdn[.]com\r\nmsdn-cdn[.]com\r\nmsdn-update[.]com\r\nmse-cdn[.]com\r\nmse-cdn[.]com\r\npci-cdn[.]com\r\nrealtek-cdn[.]com\r\nservicebing-cdn[.]com\r\nservicebing-cdn[.]com\r\ntesting-cdn[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 9 of 31\n\ntw32-cdn[.]com\r\nvmware-cdn[.]com\r\nwindowsupdatemicrosoft[.]com\r\nyahooservices-cdn[.]com\r\nThis little code snippet looks for certain keywords associated with a financial transaction and then sends the\r\nrequest and cookie data to the exfiltration server at secureqbrowser[.]com. An almost exact copy of this script was\r\ndescribed by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.\r\nConnections between email registrants and exfiltration gates\r\nBoth the client-side and server-side skimmer domains illustrated above (bootstraproxy[.]com and s3-us-west[.]com) are registered to robertbalbarran@protonmail.com. They are listed by RiskIQ under Magecart Group\r\n4: Never gone, simply advancing IOCS.\r\nBy checking their exfiltration gates (secure.upgradenstore[.]com and secureqbrowser[.]com), we connected them\r\nto other registrant emails and saw a pattern emerge.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 10 of 31\n\nEmail addresses used to register Magecart domains belonging to Magecart Group 4 contain a [first name],\r\n[initial], and [last name]. Expanding our search to other domains used by Group 4 and searching through HYAS’\r\nComox data set, we see this trend continues:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 11 of 31\n\nAbout Cobalt Group\r\nCobalt Group came to the forefront of public attention in summer 2016 with their “jackpotting” attacks against\r\nfinancial institutions in Europe, which reportedly netted the group over $3 million. Since that time, they have\r\npurportedly amassed over a billion dollars from global institutions, evolving their tactics, techniques, and\r\nprocedures as they go.\r\nCobalt Domain Registration and other TTPs\r\nWhile changing tactics as they have evolved, an identifiable pattern in email naming conventions historically used\r\nby Cobalt allowed HYAS to not only identify previous campaign domains, but helped link Cobalt Group\r\ncampaigns to the Magecart domains identified above.\r\nA small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly\r\nusing protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted\r\nconvention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the\r\nsame use of privacy protection services.\r\nGiven the use of privacy services for all the domains in question, it is highly unlikely that this naming convention\r\nwould be known to any other actor besides those who registered both the Cobalt Group and Magecart\r\ninfrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the\r\nseemingly separate accounts reused only two different IP addresses, even over weeks and months between\r\nregistrations.\r\nOne of those emails is petersmelanie@protonmail.com, which was used to register 23 domains, including\r\nmy1xbet[.]top. This domain was used in a phishing campaign leveraging CVE-2017-0199 with a decoy document\r\ncalled Fraud Transaction.doc.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 12 of 31\n\nThe same petersmelanie@protonmail.com also registered oracle-business[.]com. Similar campaigns against\r\nOracle and various banks have been attributed to Cobalt Group, with, for example, the domain oracle-system[.]com.\r\nA growing threat requires ongoing work\r\nBased on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others,\r\nit’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts\r\nagainst global financial institutions.\r\nThe use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart\r\ncompromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against\r\nthis significant and growing threat. On that note, the authors of this post would like to recognize the substantial\r\ncontribution that industry researchers and law enforcement officials are making to combat groups like Cobalt, and\r\nhope that the information contained within adds to this corpus of knowledge and further strengthens these efforts.\r\nIndicators of Compromise (IOCs)\r\nClient-side skimmer\r\nurlscan.io archive\r\nServer-side skimmer\r\nurlscan.io archive\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 13 of 31\n\nRegistrant emails associated with Magecart Group 4 domains\r\nrobertbalbarran@protonmail.com\r\njosemhansen@protonmail.com\r\njamesncharette@protonmail.com\r\npaulajwilson@protonmail.com\r\ncharliesdiaz@protonmail.ch\r\njohnnware@keemail.me\r\neverettgsullivan@tutanota.com\r\nkellymwise@protonmail.ch\r\nmichaelslantigua@keemail.me\r\nbeverlybshubert@protonmail.com\r\ncarolynkwoosley@protonmail.com\r\njohnnysramirez@tutanota.com\r\nnormajhollins@tutamail.com\r\ntimothykasten@protonmail.com\r\ngladysjhipp@protonmail.com\r\nguykmcdonald@protonmail.com\r\njohndroy@outlook.com\r\nRegistrant emails associated with Cobalt domains\r\npetersmelanie@protonmail.com\r\njasoncantrell1996@protonmail.com\r\nCobalt domains registered with Magecart email naming convention\r\noracle-business[.]com\r\nmy-1xbet[.]com\r\nsbeibank[.]online\r\ncuracaoegaming[.]site\r\nmy1xbet[.]top\r\nnewreg[.]site\r\nsbepbank[.]com\r\norkreestr[.]com\r\norkreestr[.]host\r\nsbersafe[.]top\r\naoreestr[.]site\r\nnewreg[.]host\r\nsbeibank[.]com\r\nsbelbank[.]com\r\naoreestr[.]online\r\ncuracaoegaming[.]online\r\nsbepbank[.]online\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 14 of 31\n\nsbelbank[.]online\r\ncuracao-egaming[.]online\r\nmy1xbet[.]online\r\norkreestr[.]press\r\nnewreg[.]online\r\naoreestr[.]com\r\nPrevious FIN7 domains identified through naming conventions\r\nakamaiservice-cdn[.]com\r\nappleservice-cdn[.]com\r\nbing-cdn[.]com\r\nbooking-cdn[.]com\r\ncdn-googleapi[.]com\r\ncdn-skype[.]com\r\ncdn-yahooapi[.]com\r\ncdnj-cloudflare[.]com\r\ncisco-cdn[.]com\r\ncloudflare-cdn-r5[.]com\r\ndigicert-cdn[.]com\r\nexchange-cdn[.]com\r\nfacebook77-cdn[.]com\r\nglobaltech-cdn[.]com\r\ngmail-cdn3[.]com\r\ngoogl-analytic[.]com\r\ngoogle-services-s5[.]com\r\nhpservice-cdn[.]com\r\ninfosys-cdn[.]com\r\ninstagram-cdn[.]com\r\nlive-cdn2[.]com\r\nlogitech-cdn[.]com\r\nmsdn-cdn[.]com\r\nmsdn-update[.]com\r\nmse-cdn[.]com\r\nmse-cdn[.]com\r\npci-cdn[.]com\r\nrealtek-cdn[.]com\r\nservicebing-cdn[.]com\r\nservicebing-cdn[.]com\r\ntesting-cdn[.]com\r\ntw32-cdn[.]com\r\nvmware-cdn[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 15 of 31\n\nwindowsupdatemicrosoft[.]com\r\nyahooservices-cdn[.]com\r\nServer-side skimmer\r\nWhile checking infrastructure related to Magecart Group 4, we identified a PHP script (see IOCs for the full\r\ntemplate) that was perhaps mistakenly served as JavaScript instead. Indeed, access to the backend server would\r\nnormally be required to view this kind of file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 16 of 31\n\nThis little code snippet looks for certain keywords associated with a financial transaction and then sends the\r\nrequest and cookie data to the exfiltration server at secureqbrowser[.]com. An almost exact copy of this script was\r\ndescribed by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.\r\nConnections between email registrants and exfiltration gates\r\nBoth the client-side and server-side skimmer domains illustrated above (bootstraproxy[.]com and s3-us-west[.]com) are registered to robertbalbarran@protonmail.com. They are listed by RiskIQ under Magecart Group\r\n4: Never gone, simply advancing IOCS.\r\nBy checking their exfiltration gates (secure.upgradenstore[.]com and secureqbrowser[.]com), we connected them\r\nto other registrant emails and saw a pattern emerge.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 17 of 31\n\nEmail addresses used to register Magecart domains belonging to Magecart Group 4 contain a [first name],\r\n[initial], and [last name]. Expanding our search to other domains used by Group 4 and searching through HYAS’\r\nComox data set, we see this trend continues:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 18 of 31\n\nAbout Cobalt Group\r\nCobalt Group came to the forefront of public attention in summer 2016 with their “jackpotting” attacks against\r\nfinancial institutions in Europe, which reportedly netted the group over $3 million. Since that time, they have\r\npurportedly amassed over a billion dollars from global institutions, evolving their tactics, techniques, and\r\nprocedures as they go.\r\nCobalt Domain Registration and other TTPs\r\nWhile changing tactics as they have evolved, an identifiable pattern in email naming conventions historically used\r\nby Cobalt allowed HYAS to not only identify previous campaign domains, but helped link Cobalt Group\r\ncampaigns to the Magecart domains identified above.\r\nA small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly\r\nusing protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted\r\nconvention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the\r\nsame use of privacy protection services.\r\nGiven the use of privacy services for all the domains in question, it is highly unlikely that this naming convention\r\nwould be known to any other actor besides those who registered both the Cobalt Group and Magecart\r\ninfrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the\r\nseemingly separate accounts reused only two different IP addresses, even over weeks and months between\r\nregistrations.\r\nOne of those emails is petersmelanie@protonmail.com, which was used to register 23 domains, including\r\nmy1xbet[.]top. This domain was used in a phishing campaign leveraging CVE-2017-0199 with a decoy document\r\ncalled Fraud Transaction.doc.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 19 of 31\n\nThe same petersmelanie@protonmail.com also registered oracle-business[.]com. Similar campaigns against\r\nOracle and various banks have been attributed to Cobalt Group, with, for example, the domain oracle-system[.]com.\r\nA growing threat requires ongoing work\r\nBased on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others,\r\nit’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts\r\nagainst global financial institutions.\r\nThe use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart\r\ncompromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against\r\nthis significant and growing threat. On that note, the authors of this post would like to recognize the substantial\r\ncontribution that industry researchers and law enforcement officials are making to combat groups like Cobalt, and\r\nhope that the information contained within adds to this corpus of knowledge and further strengthens these efforts.\r\nIndicators of Compromise (IOCs)\r\nClient-side skimmer\r\nurlscan.io archive\r\nServer-side skimmer\r\nurlscan.io archive\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 20 of 31\n\nRegistrant emails associated with Magecart Group 4 domains\r\nrobertbalbarran@protonmail.com\r\njosemhansen@protonmail.com\r\njamesncharette@protonmail.com\r\npaulajwilson@protonmail.com\r\ncharliesdiaz@protonmail.ch\r\njohnnware@keemail.me\r\neverettgsullivan@tutanota.com\r\nkellymwise@protonmail.ch\r\nmichaelslantigua@keemail.me\r\nbeverlybshubert@protonmail.com\r\ncarolynkwoosley@protonmail.com\r\njohnnysramirez@tutanota.com\r\nnormajhollins@tutamail.com\r\ntimothykasten@protonmail.com\r\ngladysjhipp@protonmail.com\r\nguykmcdonald@protonmail.com\r\njohndroy@outlook.com\r\nRegistrant emails associated with Cobalt domains\r\npetersmelanie@protonmail.com\r\njasoncantrell1996@protonmail.com\r\nCobalt domains registered with Magecart email naming convention\r\noracle-business[.]com\r\nmy-1xbet[.]com\r\nsbeibank[.]online\r\ncuracaoegaming[.]site\r\nmy1xbet[.]top\r\nnewreg[.]site\r\nsbepbank[.]com\r\norkreestr[.]com\r\norkreestr[.]host\r\nsbersafe[.]top\r\naoreestr[.]site\r\nnewreg[.]host\r\nsbeibank[.]com\r\nsbelbank[.]com\r\naoreestr[.]online\r\ncuracaoegaming[.]online\r\nsbepbank[.]online\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 21 of 31\n\nsbelbank[.]online\r\ncuracao-egaming[.]online\r\nmy1xbet[.]online\r\norkreestr[.]press\r\nnewreg[.]online\r\naoreestr[.]com\r\nPrevious FIN7 domains identified through naming conventions\r\nakamaiservice-cdn[.]com\r\nappleservice-cdn[.]com\r\nbing-cdn[.]com\r\nbooking-cdn[.]com\r\ncdn-googleapi[.]com\r\ncdn-skype[.]com\r\ncdn-yahooapi[.]com\r\ncdnj-cloudflare[.]com\r\ncisco-cdn[.]com\r\ncloudflare-cdn-r5[.]com\r\ndigicert-cdn[.]com\r\nexchange-cdn[.]com\r\nfacebook77-cdn[.]com\r\nglobaltech-cdn[.]com\r\ngmail-cdn3[.]com\r\ngoogl-analytic[.]com\r\ngoogle-services-s5[.]com\r\nhpservice-cdn[.]com\r\ninfosys-cdn[.]com\r\ninstagram-cdn[.]com\r\nlive-cdn2[.]com\r\nlogitech-cdn[.]com\r\nmsdn-cdn[.]com\r\nmsdn-update[.]com\r\nmse-cdn[.]com\r\nmse-cdn[.]com\r\npci-cdn[.]com\r\nrealtek-cdn[.]com\r\nservicebing-cdn[.]com\r\nservicebing-cdn[.]com\r\ntesting-cdn[.]com\r\ntw32-cdn[.]com\r\nvmware-cdn[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 22 of 31\n\nwindowsupdatemicrosoft[.]com\r\nyahooservices-cdn[.]com\r\nNote: This blog post is a collaboration between the Malwarebytes and HYAS Threat Intelligence teams.\r\nMagecart is a term that has become a household name, and it refers to the theft of credit card data via online\r\nstores. The most common scenario is for criminals to compromise e-commerce sites by injecting rogue JavaScript\r\ncode designed to steal any information entered by victims on the checkout page.\r\nClassifying Magecart threat actors is not an easy task due to the diversity of skimmers and their reuse. The effort\r\nof attributing Magecart to “groups” started with RiskIQ and Flashpoint’s comprehensive Inside Magecart report\r\nreleased in fall 2018, followed by Group-IB several months later.\r\nMuch more recently, information about the actual threat actors behind groups has come forward. For example,\r\nIBM publicly identified Group 6 as being FIN6. This is interesting on many levels because it reinforces the idea\r\nthat existing threat groups have been leveraging their past experiences to apply them to theft in the e-commerce\r\nfield.\r\nOne group that caught our interest is Group 4, which is one of the more advanced cybercriminal organizations.\r\nWhile working jointly with security firm HYAS, we found some interesting patterns in the email addresses used to\r\nregister domains belonging to Magecart matching those of a sophisticated threat group known as Cobalt Group,\r\naka Cobalt Gang or Cobalt Spider.\r\nIn this blog, we will detail our findings and show that Group 4 was not only conducting client-side skimming via\r\nJavaScript but was—and most likely still is—doing the same server-side. This is important to note as most reports\r\nabout Magecart only cover the former, which is by far easier to identify.\r\nMagecart Group 4\r\nIn the Inside Magecart report, Group 4 is described as advanced and uses techniques to blend in with normal\r\ntraffic. For instance, Magecart will register domain names that appear to be tied to advertisers or analytic\r\nproviders (see IOCs for Cobalt Group domains identified using this TTP and naming convention). Another\r\ninteresting aspect from the report is that Group 4 is suspected to have had a history in banking malware.\r\nClient-side skimmer \r\nOne of Group 4’s original skimmers was concealed as the jquery.mask.js plugin (see IOCs for a copy of the\r\nscript). The malicious code is appended at the end of the script and uses some layers of obfuscation. The hex-encoded data converts to Base64, which can be translated into standard text to reveal skimmer activity and an\r\nexfiltration gate.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 23 of 31\n\nServer-side skimmer\r\nWhile checking infrastructure related to Magecart Group 4, we identified a PHP script (see IOCs for the full\r\ntemplate) that was perhaps mistakenly served as JavaScript instead. Indeed, access to the backend server would\r\nnormally be required to view this kind of file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 24 of 31\n\nThis little code snippet looks for certain keywords associated with a financial transaction and then sends the\r\nrequest and cookie data to the exfiltration server at secureqbrowser[.]com. An almost exact copy of this script was\r\ndescribed by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.\r\nConnections between email registrants and exfiltration gates\r\nBoth the client-side and server-side skimmer domains illustrated above (bootstraproxy[.]com and s3-us-west[.]com) are registered to robertbalbarran@protonmail.com. They are listed by RiskIQ under Magecart Group\r\n4: Never gone, simply advancing IOCS.\r\nBy checking their exfiltration gates (secure.upgradenstore[.]com and secureqbrowser[.]com), we connected them\r\nto other registrant emails and saw a pattern emerge.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 25 of 31\n\nEmail addresses used to register Magecart domains belonging to Magecart Group 4 contain a [first name],\r\n[initial], and [last name]. Expanding our search to other domains used by Group 4 and searching through HYAS’\r\nComox data set, we see this trend continues:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 26 of 31\n\nAbout Cobalt Group\r\nCobalt Group came to the forefront of public attention in summer 2016 with their “jackpotting” attacks against\r\nfinancial institutions in Europe, which reportedly netted the group over $3 million. Since that time, they have\r\npurportedly amassed over a billion dollars from global institutions, evolving their tactics, techniques, and\r\nprocedures as they go.\r\nCobalt Domain Registration and other TTPs\r\nWhile changing tactics as they have evolved, an identifiable pattern in email naming conventions historically used\r\nby Cobalt allowed HYAS to not only identify previous campaign domains, but helped link Cobalt Group\r\ncampaigns to the Magecart domains identified above.\r\nA small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly\r\nusing protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted\r\nconvention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the\r\nsame use of privacy protection services.\r\nGiven the use of privacy services for all the domains in question, it is highly unlikely that this naming convention\r\nwould be known to any other actor besides those who registered both the Cobalt Group and Magecart\r\ninfrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the\r\nseemingly separate accounts reused only two different IP addresses, even over weeks and months between\r\nregistrations.\r\nOne of those emails is petersmelanie@protonmail.com, which was used to register 23 domains, including\r\nmy1xbet[.]top. This domain was used in a phishing campaign leveraging CVE-2017-0199 with a decoy document\r\ncalled Fraud Transaction.doc.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 27 of 31\n\nThe same petersmelanie@protonmail.com also registered oracle-business[.]com. Similar campaigns against\r\nOracle and various banks have been attributed to Cobalt Group, with, for example, the domain oracle-system[.]com.\r\nA growing threat requires ongoing work\r\nBased on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others,\r\nit’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts\r\nagainst global financial institutions.\r\nThe use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart\r\ncompromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against\r\nthis significant and growing threat. On that note, the authors of this post would like to recognize the substantial\r\ncontribution that industry researchers and law enforcement officials are making to combat groups like Cobalt, and\r\nhope that the information contained within adds to this corpus of knowledge and further strengthens these efforts.\r\nIndicators of Compromise (IOCs)\r\nClient-side skimmer\r\nurlscan.io archive\r\nServer-side skimmer\r\nurlscan.io archive\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 28 of 31\n\nRegistrant emails associated with Magecart Group 4 domains\r\nrobertbalbarran@protonmail.com\r\njosemhansen@protonmail.com\r\njamesncharette@protonmail.com\r\npaulajwilson@protonmail.com\r\ncharliesdiaz@protonmail.ch\r\njohnnware@keemail.me\r\neverettgsullivan@tutanota.com\r\nkellymwise@protonmail.ch\r\nmichaelslantigua@keemail.me\r\nbeverlybshubert@protonmail.com\r\ncarolynkwoosley@protonmail.com\r\njohnnysramirez@tutanota.com\r\nnormajhollins@tutamail.com\r\ntimothykasten@protonmail.com\r\ngladysjhipp@protonmail.com\r\nguykmcdonald@protonmail.com\r\njohndroy@outlook.com\r\nRegistrant emails associated with Cobalt domains\r\npetersmelanie@protonmail.com\r\njasoncantrell1996@protonmail.com\r\nCobalt domains registered with Magecart email naming convention\r\noracle-business[.]com\r\nmy-1xbet[.]com\r\nsbeibank[.]online\r\ncuracaoegaming[.]site\r\nmy1xbet[.]top\r\nnewreg[.]site\r\nsbepbank[.]com\r\norkreestr[.]com\r\norkreestr[.]host\r\nsbersafe[.]top\r\naoreestr[.]site\r\nnewreg[.]host\r\nsbeibank[.]com\r\nsbelbank[.]com\r\naoreestr[.]online\r\ncuracaoegaming[.]online\r\nsbepbank[.]online\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 29 of 31\n\nsbelbank[.]online\r\ncuracao-egaming[.]online\r\nmy1xbet[.]online\r\norkreestr[.]press\r\nnewreg[.]online\r\naoreestr[.]com\r\nPrevious FIN7 domains identified through naming conventions\r\nakamaiservice-cdn[.]com\r\nappleservice-cdn[.]com\r\nbing-cdn[.]com\r\nbooking-cdn[.]com\r\ncdn-googleapi[.]com\r\ncdn-skype[.]com\r\ncdn-yahooapi[.]com\r\ncdnj-cloudflare[.]com\r\ncisco-cdn[.]com\r\ncloudflare-cdn-r5[.]com\r\ndigicert-cdn[.]com\r\nexchange-cdn[.]com\r\nfacebook77-cdn[.]com\r\nglobaltech-cdn[.]com\r\ngmail-cdn3[.]com\r\ngoogl-analytic[.]com\r\ngoogle-services-s5[.]com\r\nhpservice-cdn[.]com\r\ninfosys-cdn[.]com\r\ninstagram-cdn[.]com\r\nlive-cdn2[.]com\r\nlogitech-cdn[.]com\r\nmsdn-cdn[.]com\r\nmsdn-update[.]com\r\nmse-cdn[.]com\r\nmse-cdn[.]com\r\npci-cdn[.]com\r\nrealtek-cdn[.]com\r\nservicebing-cdn[.]com\r\nservicebing-cdn[.]com\r\ntesting-cdn[.]com\r\ntw32-cdn[.]com\r\nvmware-cdn[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 30 of 31\n\nwindowsupdatemicrosoft[.]com\r\nyahooservices-cdn[.]com\r\nSource: https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/" ], "report_names": [ "magecart-group-4-a-link-with-cobalt-group" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0f6ff2557c0869c98d3e02427b666852d180b6a.pdf", "text": "https://archive.orkl.eu/f0f6ff2557c0869c98d3e02427b666852d180b6a.txt", "img": "https://archive.orkl.eu/f0f6ff2557c0869c98d3e02427b666852d180b6a.jpg" } }