G0080: Cobalt Group
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]
Analyst context for executives and security teams
Cobalt Group matters because ATT&CK describes it as a financially motivated intrusion set focused on stealing money from financial institutions, including through ATM, card processing, payment, and SWIFT-related environments. For executives and security leaders, the decision value is not the name itself; it is whether the organization can prove that high-value financial transaction systems, identity paths, and third-party access routes are monitored and recoverable if an intrusion reaches money movement infrastructure.
Executive priority
Prioritize this as a financial-fraud and business-continuity scenario for banks and organizations connected to financial transaction ecosystems. Leaders should ask whether critical payment operations have segmented access, accountable privileged activity, incident-response playbooks for transaction manipulation or unauthorized money movement, and audit-ready evidence showing monitoring around ATM, card processing, payment, and SWIFT systems where applicable. Because ATT&CK notes the group has used access to compromise additional victims, supplier, partner, and downstream access governance should also be part of the risk discussion.
Technical view
ATT&CK provides no platform, tactic, technique, relationship, or detection details for this object in the supplied data, so SOC and IR teams should not infer specific procedures from this record alone. Use the object as a threat-intelligence driver to validate defensive coverage around financial transaction environments: authentication paths into payment systems, administrative access to ATM/card/SWIFT-related infrastructure, unusual remote access, lateral movement indicators in sensitive network zones, and evidence of systems being used as a staging point to reach other victims. Any detection engineering should be grounded in local architecture and additional source reporting, not this group record by itself.
Likely telemetry
- Privileged authentication and authorization logs for financial transaction systems
- Administrative activity logs for ATM, card processing, payment, and SWIFT-related environments where present
- Network flow and remote access telemetry between user, server, and sensitive financial operations zones
- Endpoint and server security telemetry for systems supporting payment operations
- Change-management, transaction-processing, and application logs that can evidence unauthorized operational changes
Detection direction
- Validate that monitoring exists around money movement infrastructure rather than only corporate IT endpoints.
- Correlate privileged access, remote access, and network movement into sensitive financial system zones with approved change windows and business processes.
- Treat detections involving payment, ATM, card processing, or SWIFT-related systems as higher priority because the described objective is direct financial theft.
- Look for evidence that internal access could be used to reach additional victims, such as unusual outbound connections, partner-facing access, or abuse of trusted connectivity.
- Avoid building group-specific detections from this object alone; the supplied ATT&CK record does not provide techniques, malware relationships, platforms, or official detection logic.
Mitigation priorities
- Identify and inventory systems that support ATM, card processing, payment, and SWIFT operations, then map privileged access paths to them.
- Enforce strong identity controls, least privilege, and reviewable administrative access for sensitive financial operations environments.
- Segment financial transaction infrastructure from general enterprise networks and tightly govern remote and third-party access.
- Maintain incident-response playbooks for suspected unauthorized transaction activity, including evidence preservation, containment, business approval paths, and regulator or partner notification workflows where applicable.
- Use threat-intelligence enrichment and local incident data to decide whether additional controls or detections are needed beyond what this sparse ATT&CK object supports.
Analyst notes and limits
The supplied ATT&CK description identifies Cobalt Group as financially motivated, primarily targeting financial institutions since at least 2016, with reported targeting of ATM, card processing, payment, and SWIFT systems, mainly in Eastern Europe, Central Asia, and Southeast Asia. It also notes aliases and reported links to Carbanak malware and the Carbanak group, but no relationship objects were supplied here, so those links should be treated as contextual description rather than relationship-driven evidence in this take.
No official detection, platforms, tactics, techniques, external references, or relationship context were supplied. This take therefore stays at the defensive-planning and validation level and does not assert specific tools, procedures, active campaigns, affected customers, or guaranteed detection coverage. Local architecture and additional intelligence are required for operational detection content.
Cobalt Group
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Group Aug 2017CitationPTSecurity Cobalt Dec 2016CitationGroup IB Cobalt Aug 2017CitationProofpoint Cobalt June 2017CitationRiskIQ Cobalt Nov 2017CitationUnit 42 Cobalt Gang Oct 2018CitationTrendMicro Cobalt Group Nov 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.CitationPTSecurity Cobalt Group Aug 2017CitationPTSecurity Cobalt Dec 2016 The group's JavaScript backdoor is also capable of downloading files.CitationMorphisec Cobalt Gang Oct 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.CitationTalos Cobalt Group July 2018CitationMorphisec Cobalt Gang Oct 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Cobalt Group has created Windows tasks to establish persistence.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1218.008 | Odbcconf Sub-technique | Cobalt Group has used |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.CitationMorphisec Cobalt Gang Oct 2018 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Cobalt Group has sent malicious Word OLE compound documents to victims.CitationTalos Cobalt Group July 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.CitationTalos Cobalt Group July 2018CitationUnit 42 Cobalt Gang Oct 2018 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Cobalt Group has used exploits to increase their levels of rights and privileges.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1218.003 | CMSTP Sub-technique | Cobalt Group has used the command |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Cobalt Group has used regsvr32.exe to execute scripts.CitationTalos Cobalt Group July 2018CitationMorphisec Cobalt Gang Oct 2018CitationTrendMicro Cobalt Group Nov 2017 |
| Enterprise | T1055 | Process Injection | Cobalt Group has injected code into trusted processes.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Cobalt Group has used powershell.exe to download and execute scripts.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Group Aug 2017CitationPTSecurity Cobalt Dec 2016CitationGroup IB Cobalt Aug 2017CitationRiskIQ Cobalt Jan 2018CitationTrendMicro Cobalt Group Nov 2017 |
| Enterprise | T1588.002 | Tool Sub-technique | Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.CitationPTSecurity Cobalt Dec 2016 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Group Aug 2017CitationGroup IB Cobalt Aug 2017CitationMorphisec Cobalt Gang Oct 2018CitationUnit 42 Cobalt Gang Oct 2018CitationTrendMicro Cobalt Group Nov 2017 |
| Enterprise | T1203 | Exploitation for Client Execution | Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Group Aug 2017CitationPTSecurity Cobalt Dec 2016CitationProofpoint Cobalt June 2017CitationRiskIQ Cobalt Nov 2017CitationRiskIQ Cobalt Jan 2018CitationCrowdstrike Global Threat Report Feb 2018CitationTrendMicro Cobalt Group Nov 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.CitationTalos Cobalt Group July 2018 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Cobalt Group has bypassed UAC.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1220 | XSL Script Processing | Cobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.CitationTalos Cobalt Group July 2018 |
| Enterprise | T1071.004 | DNS Sub-technique | Cobalt Group has used DNS tunneling for C2.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Dec 2016CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Cobalt Group has executed JavaScript scriptlets on the victim's machine.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Group Aug 2017CitationGroup IB Cobalt Aug 2017CitationMorphisec Cobalt Gang Oct 2018CitationUnit 42 Cobalt Gang Oct 2018CitationTrendMicro Cobalt Group Nov 2017 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Cobalt Group has sent emails with URLs pointing to malicious documents.CitationTalos Cobalt Group July 2018CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.CitationTalos Cobalt Group July 2018CitationUnit 42 Cobalt Gang Oct 2018CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.CitationMorphisec Cobalt Gang Oct 2018 The group has used an exploit toolkit known as Threadkit that launches .bat files.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Group Aug 2017CitationGroup IB Cobalt Aug 2017CitationMorphisec Cobalt Gang Oct 2018CitationUnit 42 Cobalt Gang Oct 2018CitationTrendMicro Cobalt Group Nov 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Cobalt Group has used HTTPS for C2.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Dec 2016CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1572 | Protocol Tunneling | Cobalt Group has used the Plink utility to create SSH tunnels.CitationTalos Cobalt Group July 2018CitationPTSecurity Cobalt Dec 2016CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Cobalt Group has used the Plink utility to create SSH tunnels.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Cobalt Group has created new services to establish persistence.CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1219 | Remote Access Tools | Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost.CitationPTSecurity Cobalt Group Aug 2017CitationPTSecurity Cobalt Dec 2016CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1046 | Network Service Discovery | Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.CitationPTSecurity Cobalt Group Aug 2017CitationPTSecurity Cobalt Dec 2016CitationGroup IB Cobalt Aug 2017 |
| Enterprise | T1037.001 | Logon Script (Windows) Sub-technique | Cobalt Group has added persistence by registering the file name for the next stage malware under |
Groups, software, and campaigns
S0002: Mimikatz
S0284: More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]
S0646: SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]
S0195: SDelete
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0029: PsExec
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | c812e58a8612… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Cobalt Group July 2018
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
Open source URL -
[2]
PTSecurity Cobalt Group Aug 2017
Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
Open source URL -
[3]
PTSecurity Cobalt Dec 2016
Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
Open source URL -
[4]
Group IB Cobalt Aug 2017
Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
Open source URL -
[5]
Proofpoint Cobalt June 2017
Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
Open source URL -
[6]
RiskIQ Cobalt Nov 2017
Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
Open source URL -
[7]
RiskIQ Cobalt Jan 2018
Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
Open source URL -
[8]
Europol Cobalt Mar 2018
Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
Open source URL -
[9]
Cobalt Gang
(Citation: Talos Cobalt Group July 2018) (Citation: Crowdstrike Global Threat Report Feb 2018)(Citation: Morphisec Cobalt Gang Oct 2018)
-
[10]
Cobalt Group
(Citation: Talos Cobalt Group July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Nov 2017) (Citation: RiskIQ Cobalt Jan 2018)
-
[11]
Cobalt Spider
(Citation: Crowdstrike Global Threat Report Feb 2018)
-
[12]
Crowdstrike Global Threat Report Feb 2018
CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
Open source URL -
[13]
GOLD KINGSWOOD
(Citation: Secureworks GOLD KINGSWOOD September 2018)
-
[14]
Morphisec Cobalt Gang Oct 2018
Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
Open source URL -
[15]
Secureworks GOLD KINGSWOOD September 2018
CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
Open source URL -
[16]
mitre-attack G0080Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.