S0646: SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]
Analyst context for executives and security teams
SpicyOmelette matters because ATT&CK describes it as a JavaScript-based remote access tool on Windows, with related behaviors spanning phishing links, script execution, host and network discovery, local data collection, tool transfer, and code signing abuse. For leaders, the practical issue is not the malware name alone; it is whether the organization can see and contain a script-driven remote access intrusion before it maps the environment, finds sensitive data, or brings in additional tools.
Executive priority
Prioritize this as a validation case for phishing resilience, Windows endpoint visibility, and incident response readiness. The ATT&CK relationship to Cobalt Group, a financially motivated group associated with financial-institution targeting, makes this especially relevant for organizations operating payment, card-processing, ATM, or SWIFT-adjacent environments. Executives should ask whether SOC evidence can connect a clicked link to script execution, discovery activity, downloads, and sensitive-data access quickly enough to support containment and audit-quality incident decisions.
Technical view
ATT&CK does not provide an official detection analytic for SpicyOmelette, so defenders should build coverage around the related behaviors: spearphishing link and malicious-link execution, JavaScript/JScript execution on Windows, system and network discovery, remote system discovery, software and security-software discovery, local data access, ingress tool transfer, and code-signing-related trust decisions. SOC teams should validate that detections correlate email or web-click events with endpoint script/process telemetry, discovery commands or API activity, unusual file access, and follow-on downloads. IR teams should prepare triage paths for script-based RAT activity rather than relying only on known malware signatures.
Likely telemetry
- Email security and message-click telemetry for spearphishing or malicious links
- Web proxy, secure web gateway, DNS, and URL filtering logs tied to user link activity
- Windows endpoint process creation and command-line telemetry for JavaScript/JScript or Windows Script engine execution
- Endpoint file, registry, and local data access telemetry relevant to collection from local systems
- Host and network discovery evidence such as network configuration queries and remote system enumeration
Detection direction
- Treat this as behavior-led detection because ATT&CK provides no official SpicyOmelette detection text.
- Correlate a user clicking a link with subsequent script execution, discovery, local data access, and external downloads on the same Windows host.
- Tune for legitimate administrative scripts, inventory tools, and software management activity to reduce false positives while preserving unusual user-context execution and uncommon parent-child process chains.
- Validate visibility into security-software discovery, because this behavior often exposes gaps where EDR or logging products do not record attempts to enumerate defensive controls.
- Review signed-code trust assumptions; code signing should inform triage but should not automatically suppress suspicious execution or tool-transfer behavior.
Mitigation priorities
- Strengthen phishing-link prevention, user reporting, and rapid containment workflows for clicked links.
- Restrict and monitor script execution on Windows where business processes allow, especially JavaScript/JScript execution outside expected contexts.
- Ensure endpoint logging captures process command lines, script interpreter usage, file access, and network connections needed for incident reconstruction.
- Apply least privilege and segmentation to limit discovery, local data access, and movement toward sensitive systems.
- Control outbound access and file downloads to reduce successful ingress tool transfer.
Analyst notes and limits
This take is derived from the supplied ATT&CK software object, its external reference, and listed relationships. The most useful defensive framing comes from the related techniques rather than from malware-specific detection content. The Cobalt Group relationship supports heightened relevance for financial-sector risk discussions, but local exposure depends on the organization’s environment, controls, and telemetry.
ATT&CK does not specify tactics or provide official detection text for this malware object. The object platform is Windows, while several related techniques list broader or different platforms in the supplied relationship context; platform-specific conclusions should therefore be validated locally. No claim is made here about active exploitation, current targeting, or existing customer detection coverage.
SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | SpicyOmelette can identify the system name of a compromised host.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1518 | Software Discovery | SpicyOmelette can enumerate running software on a targeted system.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1005 | Data from Local System | SpicyOmelette has collected data and other information from a compromised host.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | SpicyOmelette can download malicious files from threat actor controlled AWS URL's.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | SpicyOmelette can identify the IP of a compromised system.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1059.007 | JavaScript Sub-technique | SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | SpicyOmelette has been executed through malicious links within spearphishing emails.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1018 | Remote System Discovery | SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1553.002 | Code Signing Sub-technique | SpicyOmelette has been signed with valid digital certificates.CitationSecureworks GOLD KINGSWOOD September 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | SpicyOmelette can check for the presence of 29 different antivirus tools.CitationSecureworks GOLD KINGSWOOD September 2018 |
Groups, software, and campaigns
G0080: Cobalt Group
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fa0690dab64d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Secureworks GOLD KINGSWOOD September 2018
CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
Open source URL -
[2]
mitre-attack S0646Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.