>samit_hota
Back to adversary profiles
G0080HighActive

Cobalt Group: A Relentless Financial Cybercrime Syndicate

Samit Hota·
Suspected Origin
Eastern Europe / Russia (Suspected)
Motivation
Financial Gain
Aliases
GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
Target Sectors
Financial, High-Tech, Media, Retail
Associated Malware
Cobalt Strike, Carbanak, CobInt, Mimikatz
#threat-actor#g0080

Overview

The Cobalt Group, also recognized by aliases such as GOLD KINGSWOOD, Cobalt Gang, and Cobalt Spider (MITRE ATT&CK ID: G0080), is a highly effective and persistent financially motivated cybercrime organization. Active since at least 2016, this group has earned notoriety for its sophisticated and large-scale attacks primarily aimed at financial institutions worldwide. Their core objective is the direct theft of funds, executed through various means including ATM jackpotting, manipulation of SWIFT systems, and fraudulent transfers via card processing and payment systems. While definitive attribution remains challenging, their operational methods and geographic focus strongly suggest an origin in Eastern Europe or Russia.

The group’s initial focus on ATM jackpotting quickly evolved to encompass broader financial systems. They are known for their adaptability, consistently updating their tactics and tools. Cobalt Group frequently targets retail and investment banks, payment processors, and SWIFT operators, but also compromises organizations outside the financial sector to pivot and gain access to their primary targets. This “stepping stone” approach allows them to leverage trusted connections to further their illicit activities. Their global reach extends across Eastern Europe, Central Asia, Southeast Asia, and broader regions including North and South America, Europe, and Africa. Despite the arrest of an alleged key leader in Spain in 2018, the group has continued to operate, a testament to its decentralized and resilient structure, often employing an extensive network of affiliates and money mules.

Tactics & Techniques

Cobalt Group’s operational methodology is characterized by a blend of social engineering, exploit cadena, and living-off-the-land techniques. Initial access is predominantly gained through meticulously crafted spear phishing campaigns. These attacks often involve emails containing malicious attachments, such as Word OLE compound documents, Rich Text Format (RTF) files, or PDFs, designed to exploit vulnerabilities in Microsoft Office (e.g., CVE-2017-11882, CVE-2017-0199, CVE-2017-8759) or to trick employees into enabling macros or clicking malicious links. These phishing lures are highly convincing, often impersonating legitimate entities like financial regulators, cybersecurity organizations, or trusted partners.

Once initial access is established, the group employs various execution methods, including PowerShell, custom JavaScript backdoors, and abusing legitimate Windows utilities like cmstp.exe, odbcconf, regsvr32.exe, and msxsl.exe to bypass AppLocker and run malicious scripts. For persistence, Cobalt Group leverages common techniques such as creating new services, scheduling Windows tasks, and modifying Registry Run keys or Startup folders.

Defense evasion is a key aspect of their operations. They frequently obfuscate scriptlets and code using methods like XOR and RC4, inject code into trusted processes, and load payloads directly into memory to avoid detection. They also utilize public platforms like GitHub and Sendspace for file hosting and command and control (C2) infrastructure. Network reconnaissance is performed using tools like SoftPerfect Network Scanner, and their JavaScript backdoors can enumerate installed security solutions.

For lateral movement, Cobalt Group extensively uses legitimate remote access tools such as PsExec and Remote Desktop Protocol (RDP), and they are known to establish SSH tunnels using the Plink utility. Credential harvesting is a critical post-exploitation phase, often achieved through tools like Mimikatz. Command and Control (C2) is established via HTTPS and DNS tunneling, with the Cobalt Strike beacon being a prominent C2 component, often supplemented by commercial remote access software like Ammyy Admin and TeamViewer to maintain access even if the primary C2 is disrupted.

Notable Campaigns

The Cobalt Group’s criminal career began with a significant incident in June 2016, when they targeted a major Russian bank, attempting to steal funds directly from ATMs. This was followed by a notorious ATM heist at the First Commercial Bank in Taiwan in July 2016, which saw millions stolen.

Between 2016 and 2018, the group was responsible for widespread ATM jackpotting operations across Eastern Europe and Asia. A particularly high-profile incident was the attack on the Bank of Valletta in Malta in 2019, which led to the unauthorized transfer of €13 million. Beyond direct ATM attacks, they gained infamy for manipulating SWIFT systems to facilitate fraudulent wire transactions across multiple countries.

Throughout their activity, Cobalt Group has shown a consistent pattern of targeting financial entities in Eastern Europe, Central Asia, and Southeast Asia. They have also been observed expanding their focus to compromise third-party organizations, such as bank partners, as a means to ultimately infiltrate the intended financial targets. In some instances, the group has deployed phishing campaigns impersonating major anti-virus vendors or the European Central Bank, demonstrating their willingness to adapt social engineering themes for maximum impact. In October 2018, they were observed using seemingly innocuous PDF documents that relied purely on social engineering, rather than exploits, to trick employees into downloading malicious macros.

Associated Malware & Tools

The Cobalt Group is adept at leveraging a mix of commercial penetration testing tools, custom malware, and open-source utilities. Their namesake, Cobalt Strike, is a commercial adversary simulation platform that forms the backbone of their post-exploitation activities, enabling advanced command and control, reconnaissance, and lateral movement within compromised networks. They frequently deploy its “Beacon” payload, which establishes persistent, evasive backdoors.

The group has strong historical ties and overlaps with the notorious Carbanak malware and the FIN7 threat group, with some researchers suggesting former Carbanak members may be part of Cobalt Group.

Other significant tools and malware include:

  • CobInt: A modular downloader written in C, used as an initial stage payload for delivering subsequent malicious components.
  • Mimikatz: Utilized for credential access and privilege escalation.
  • PsExec: A legitimate Windows tool frequently abused for lateral movement.
  • SoftPerfect Network Scanner: An open-source tool used for network discovery.
  • Ammyy Admin and TeamViewer: Commercial remote access software used to maintain access and control.
  • Threadkit: An exploit toolkit used to deliver malicious payloads.
  • ATM-specific malware like ATMSpitter, ATMRipper, and AtNow for cash-out operations.
  • Other reported tools include Cyst Downloader, FlawedAmmyy, Formbook, Little Pig, Metasploit Stager, More_eggs, NSIS, Pony, SDelete, Taurus Loader, VenomKit, and SpicyOmelette. They have also used exploit builders like Microsoft Word Intruder (MWI).

Current Status

Despite the arrest of an alleged key leader in Spain in early 2018, the Cobalt Group has shown remarkable resilience and continues to be an active and evolving threat. Reporting from as recently as 2024 indicates the group remains a significant adversary, continuously adapting its tactics and expanding its targeting to include various industries beyond just financial services, often as a precursor to compromising financial targets. This continued activity, even after law enforcement interventions, underscores their decentralized structure and the persistence of their financially motivated operations. They represent a high-level threat to financial institutions globally.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call