Cobalt Group

Cobalt Group Description

The Cobalt Group is a well-known group of hackers that have been operating in the cybercrime scene for a while. They do not appear to be acting on behalf of any government. Instead, their attacks appear to be financially motivated. Most of their attacks are carried out in Eastern Europe, Central and Southeast Asia. The Cobalt Group likes to play big – most of their targets tend to be high-profile institutions such as banks or other organizations operating in the financial industry. The hacking group is also known to have targeted ATMs (Automated Teller Machines) and online payment processors. The Cobalt Group prefers to carry out stealthy attacks, even if that means it would take them longer to complete an operation. They would often infiltrate a targeted network over a long period, as this makes it less likely for their unsafe activity to be spotted.

Operates in a Fileless Mode

The trademark hacking tool of the Cobalt Group is the Cobalt Strike malware. The hacking group’s name is derived from this threat. However, we should note that the Cobalt Strike threat is sold publicly and has not been created by the Cobalt Group, but they are known for having launched impressive hacking campaigns using this tool. What makes the Cobalt Strike particularly threatening is that it can operate very silently by planting its modules in the RAM (Random Access Memory) of the compromised host. This is known as operating in a fileless mode. By doing this, the Cobalt Strike is also much more likely to remain under the radar of anti-virus applications, which may be present on the infiltrated system.


The Cobalt Strike has a significant list of capabilities. This threat can:

  • Let the attackers gain remote access to the compromised machine.
  • Scan the network in order to detect other systems that may be vulnerable.
  • Collect keystrokes.
  • Bypass Windows’ UAC (User Account Control).
  • Plant the Mimikatz infostealer.

The Cobalt Group also is known to use other tools such as TeamViewer, the PsExec utility, SoftPerfect Network Scanner, Windows’ Remote Desktop Protocol (RDP) and Plink.

Propagation Methods

The preferred propagation method of the Cobalt Group is spear-phishing emails. This technique allows them to tailor specific messages and use social engineering tricks to convince the user that the email is legitimate, and the potential attachment it contains is as harmless as they come. Apart from using corrupted attachments to propagate their hacking tools, the Cobalt Group is known to ask their victim to download a file containing a malicious payload, which is hosted on a third-party platform.

As we mentioned, the Cobalt Group prefers to take things slowly and make sure they infiltrate systems and networks, which are very difficult to reach. Usually, the attack is carried out by infiltrating one system within a network and then seeking ways to compromise more hosts. Malware experts have determined that a Cobalt Group campaign usually takes around two weeks from its starting point to achieving their goal.

Do You Suspect Your PC May Be Infected with Cobalt Group & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Cobalt Group as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.