The Cobalt cybercrime group has been active since 2016 and it attacks lending and finance organizations in its pursuit of stealing money by breaking into ATMs, card processing and various payment systems (such as SWIFT and the Automated Workstation Client of the Russian Central Bank (AWS-CBR)). It is assumed that several group members were once part of the Carbanak group that existed previously. According to FinCERT, in 2017, losses from Cobalt attacks in Russia exceeded RUB 1 billion. The group continued its activity even after the arrest of one of the group's leaders in 2018. One of the largest scale hacks in which the group was involved targeted the Unistream fast payments system.

• Cobalt Strike
• CobInt
• CoolPants
• ComDll dropper
• JS-backdoor(more_eggs)

• The finance sector

• North America
• Europe
• Central Asia
• Southeast Asia

• Cash theft

• Cobalt Gang
• Cobalt Spider

• https://pt-corp.storage.yandexcloud.net/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
• https://pt-corp.storage.yandexcloud.net/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf
• https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
• https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint
• https://blog.morphisec.com/cobalt-gang-2.0
• https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
• https://www.group-ib.ru/resources/threat-research/cobalt.html
• https://www.group-ib.com/blog/renaissance