Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Cobalt Group

🌐Cobalt Group

🌐 Cobalt Group is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 34 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0080) ↗
14Use cases
0Articles
34Techniques
0IOCs

About this actor (MITRE)

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use t

Known aliases

Cobalt GroupGOLD KINGSWOODCobalt GangCobalt Spider

Top techniques

T1021.001 · Remote Desktop ProtocolT1027.010 · Command ObfuscationT1037.001 · Logon Script (Windows)

All other tracked techniques

T1046 · Network Service DiscoveryT1053.005 · Scheduled TaskT1055 · Process InjectionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScriptT1068 · Exploitation for Privilege EscalationT1070.004 · File DeletionT1071.001 · Web ProtocolsT1071.004 · DNST1105 · Ingress Tool TransferT1195.002 · Compromise Software Supply ChainT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1218.003 · CMSTPT1218.008 · OdbcconfT1218.010 · Regsvr32T1219 · Remote Access ToolsT1220 · XSL Script ProcessingT1518.001 · Security Software DiscoveryT1543.003 · Windows ServiceT1547.001 · Registry Run Keys / Startup FolderT1548.002 · Bypass User Account ControlT1559.002 · Dynamic Data ExchangeT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1572 · Protocol TunnelingT1573.002 · Asymmetric CryptographyT1588.002 · Tool

Detection use cases (14)

Cobalt Group EQNEDT32.EXE child-process spawn (CVE-2017-11882 / 0802 Equation Editor exploit chain) AI · profile SΣ Cobalt Group Squiblydoo: regsvr32 /i: remote scrobj.dll COM scriptlet load AI · profile SΣ Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match