Threat Actor Profile
High
APT
Description
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.(Citation: Europol Cobalt Mar 2018)
Confidence Score
Known Aliases
Cobalt Group
GOLD KINGSWOOD
Cobalt Gang
Cobalt Spider
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (34)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Cobalt Group', 'GOLD KINGSWOOD', 'Cobalt Gang', 'Cobalt Spider'],
'created': '2018-10-17T00:14:20.652Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Cobalt Group](https://attack.mitre.org/groups/G0080) is a '
'financially motivated threat group that has primarily '
'targeted financial institutions since at least 2016. The '
'group has conducted intrusions to steal money via targeting '
'ATM systems, card processing, payment systems and SWIFT '
'systems. [Cobalt '
'Group](https://attack.mitre.org/groups/G0080) has mainly '
'targeted banks in Eastern Europe, Central Asia, and Southeast '
'Asia. One of the alleged leaders was arrested in Spain in '
'early 2018, but the group still appears to be active. The '
'group has been known to target organizations in order to use '
'their access to then compromise additional victims.(Citation: '
'Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt '
'Group Aug 2017)(Citation: PTSecurity Cobalt Dec '
'2016)(Citation: Group IB Cobalt Aug 2017)(Citation: '
'Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov '
'2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates '
'there may be links between [Cobalt '
'Group](https://attack.mitre.org/groups/G0080) and both the '
'malware [Carbanak](https://attack.mitre.org/software/S0030) '
'and the group '
'[Carbanak](https://attack.mitre.org/groups/G0008).(Citation: '
'Europol Cobalt Mar 2018)',
'external_references': [{'external_id': 'G0080',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0080'},
{'description': '(Citation: Crowdstrike Global Threat '
'Report Feb 2018)',
'source_name': 'Cobalt Spider'},
{'description': '(Citation: Secureworks GOLD '
'KINGSWOOD September 2018)',
'source_name': 'GOLD KINGSWOOD'},
{'description': '(Citation: Talos Cobalt Group July '
'2018) (Citation: Crowdstrike Global '
'Threat Report Feb 2018)(Citation: '
'Morphisec Cobalt Gang Oct 2018)',
'source_name': 'Cobalt Gang'},
{'description': '(Citation: Talos Cobalt Group July '
'2018) (Citation: PTSecurity Cobalt '
'Group Aug 2017) (Citation: '
'PTSecurity Cobalt Dec 2016) '
'(Citation: Proofpoint Cobalt June '
'2017) (Citation: RiskIQ Cobalt Nov '
'2017) (Citation: RiskIQ Cobalt Jan '
'2018)',
'source_name': 'Cobalt Group'},
{'description': 'CrowdStrike. (2018, February 26). '
'CrowdStrike 2018 Global Threat '
'Report. Retrieved October 10, 2018.',
'source_name': 'Crowdstrike Global Threat Report Feb '
'2018',
'url': 'https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report'},
{'description': 'CTU. (2018, September 27). '
'Cybercriminals Increasingly Trying '
'to Ensnare the Big Financial Fish. '
'Retrieved September 20, 2021.',
'source_name': 'Secureworks GOLD KINGSWOOD September '
'2018',
'url': 'https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish'},
{'description': 'Europol. (2018, March 26). '
'Mastermind Behind EUR 1 Billion '
'Cyber Bank Robbery Arrested in '
'Spain. Retrieved October 10, 2018.',
'source_name': 'Europol Cobalt Mar 2018',
'url': 'https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain'},
{'description': 'Gorelik, M. (2018, October 08). '
'Cobalt Group 2.0. Retrieved November '
'5, 2018.',
'source_name': 'Morphisec Cobalt Gang Oct 2018',
'url': 'https://blog.morphisec.com/cobalt-gang-2.0'},
{'description': 'Klijnsma, Y.. (2017, November 28). '
'Gaffe Reveals Full List of Targets '
'in Spear Phishing Attack Using '
'Cobalt Strike Against Financial '
'Institutions. Retrieved October 10, '
'2018.',
'source_name': 'RiskIQ Cobalt Nov 2017',
'url': 'https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/'},
{'description': 'Klijnsma, Y.. (2018, January 16). '
'First Activities of Cobalt Group in '
'2018: Spear Phishing Russian Banks. '
'Retrieved October 10, 2018.',
'source_name': 'RiskIQ Cobalt Jan 2018',
'url': 'https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/'},
{'description': 'Matveeva, V. (2017, August 15). '
'Secrets of Cobalt. Retrieved October '
'10, 2018.',
'source_name': 'Group IB Cobalt Aug 2017',
'url': 'https://www.group-ib.com/blog/cobalt'},
{'description': 'Mesa, M, et al. (2017, June 1). '
'Microsoft Word Intruder Integrates '
'CVE-2017-0199, Utilized by Cobalt '
'Group to Target Financial '
'Institutions. Retrieved October 10, '
'2018.',
'source_name': 'Proofpoint Cobalt June 2017',
'url': 'https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target'},
{'description': 'Positive Technologies. (2016, '
'December 16). Cobalt Snatch. '
'Retrieved October 9, 2018.',
'source_name': 'PTSecurity Cobalt Dec 2016',
'url': 'https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf'},
{'description': 'Positive Technologies. (2017, August '
'16). Cobalt Strikes Back: An '
'Evolving Multinational Threat to '
'Finance. Retrieved September 5, '
'2018.',
'source_name': 'PTSecurity Cobalt Group Aug 2017',
'url': 'https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf'},
{'description': 'Svajcer, V. (2018, July 31). '
'Multiple Cobalt Personality '
'Disorder. Retrieved September 5, '
'2018.',
'source_name': 'Talos Cobalt Group July 2018',
'url': 'https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html'}],
'id': 'intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a',
'modified': '2025-04-16T20:37:34.214Z',
'name': 'Cobalt Group',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '2.1'}