Threat Database Malware Cobalt Group

Cobalt Group

The Cobalt Group is a well-known group of hackers that have been operating in the cybercrime scene for a while. They do not appear to be acting on behalf of any government. Instead, their attacks appear to be financially motivated. Most of their attacks are carried out in Eastern Europe, Central and Southeast Asia. The Cobalt Group likes to play big – most of their targets tend to be high-profile institutions such as banks or other organizations operating in the financial industry. The hacking group is also known to have targeted ATMs (Automated Teller Machines) and online payment processors. The Cobalt Group prefers to carry out stealthy attacks, even if that means it would take them longer to complete an operation. They would often infiltrate a targeted network over a long period, as this makes it less likely for their unsafe activity to be spotted.

Operates in a Fileless Mode

The trademark hacking tool of the Cobalt Group is the Cobalt Strike malware. The hacking group’s name is derived from this threat. However, we should note that the Cobalt Strike threat is sold publicly and has not been created by the Cobalt Group, but they are known for having launched impressive hacking campaigns using this tool. What makes the Cobalt Strike particularly threatening is that it can operate very silently by planting its modules in the RAM (Random Access Memory) of the compromised host. This is known as operating in a fileless mode. By doing this, the Cobalt Strike is also much more likely to remain under the radar of anti-virus applications, which may be present on the infiltrated system.

This Week In Malware Episode 33 Part 1: Ransomware Gangs Use Fake Microsoft Teams Updates via Cobalt Strike to Infect Network


The Cobalt Strike has a significant list of capabilities. This threat can:

  • Let the attackers gain remote access to the compromised machine.
  • Scan the network in order to detect other systems that may be vulnerable.
  • Collect keystrokes.
  • Bypass Windows’ UAC (User Account Control).
  • Plant the Mimikatz infostealer.

The Cobalt Group also is known to use other tools such as TeamViewer, the PsExec utility, SoftPerfect Network Scanner, Windows’ Remote Desktop Protocol (RDP) and Plink.

Propagation Methods

The preferred propagation method of the Cobalt Group is spear-phishing emails. This technique allows them to tailor specific messages and use social engineering tricks to convince the user that the email is legitimate, and the potential attachment it contains is as harmless as they come. Apart from using corrupted attachments to propagate their hacking tools, the Cobalt Group is known to ask their victim to download a file containing a malicious payload, which is hosted on a third-party platform.

As we mentioned, the Cobalt Group prefers to take things slowly and make sure they infiltrate systems and networks, which are very difficult to reach. Usually, the attack is carried out by infiltrating one system within a network and then seeking ways to compromise more hosts. Malware experts have determined that a Cobalt Group campaign usually takes around two weeks from its starting point to achieving their goal.


Most Viewed