Menu
Browse

Cyber Threat Actor: Coldzer0

Actor Type Location Known Incidents
 Icon
Sensationalist
Egypt
2 incidents
Profile

Coldzer0 is thealias used by an individual who has publicly identified himself as Mohamed Osama and is known to be based in Egypt. He describes himself on his personal website and LinkedIn profile as a malware analyst, security researcher, reverse engineer, and Delphi team leader at Orbit Shield, where he also works as an instructor or trainer. This self‑presentation frames him as someone with technical expertise in software analysis and reverse engineering, though no further details about his formal employment or organizational ties are provided in the open sources.

His known activity focuses on compromising online forum platforms operated by software companies. In October 2015 he exploited a previously unknown zero‑day vulnerability in the vBulletin forum software to gain initial access to both the vBulletin.com and Foxit Software discussion boards. After establishing a foothold, he deployed a web shell that allowed him to maintain persistent presence on the servers without being detected by the victims’ F5‑based security appliances. The actor then exfiltrated user data, including user IDs, full names, email addresses, plaintext security questions and answers, password salts, and fragments of payment card information from the Foxit forum, affecting over 260,000 accounts, and obtained a dump of roughly 479,000 accounts from the vBulletin forum. To publicize the intrusions he posted screenshots and a video on YouTube (later removed), shared messages on Twitter using hashtags such as #0day and #vBulletin, and initially uploaded proof to his Facebook page before deleting those posts. These actions demonstrate a pattern of using the zero‑day exploit for initial entry, a web shell for persistence, and social media channels for claiming responsibility and disseminating evidence.

Attribution to a specific group or state sponsor is not evident in the material; the actor appears to operate as an individual linked to the alias Coldzer0 and the real name Mohamed Osama, with a publicly accessible LinkedIn profile and a personal website at coldroot.com. No connections to a criminal consortium, nation‑state program, or ideological movement are described in the sources. The October 2015 compromises of the vBulletin and Foxit forums constitute the most clearly documented operations associated with this actor, illustrating his capability to discover and weaponize zero‑day flaws in widely used forum software, maintain covert access via web shells, and leverage public platforms to claim credit for the breaches.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
2 sources