Menu
Browse

Cyber Threat Actor: CoomingProject

Actor Type Location Known Incidents
 Icon
Sensationalist
Russia
3 incidents
Profile

CoomingProject is a threat actor that operates under the alias CoomingProject and has been publicly linked to a Russian origin based on available reporting. The group first came to attention in mid‑2021 when it claimed responsibility for a series of data breaches against governmental and research institutions. While the actor presents itself as a hacking collective, it has explicitly stated that it is not a ransomware organization and does not extort victims for payment.

The actor’s known targets include a Mexican government health agency involved in COVID‑19 research and the South African National Space Agency, indicating a focus on sectors that handle sensitive scientific and personal data. In the Mexican incident, CoomingProject asserted that it exfiltrated approximately 50 GB of information, including a database labeled “COVID” containing patient names, dates of birth, contact details and test results, as well as dozens of PDF reports containing individual medical findings. In the South African case, the group claimed responsibility for a breach that resulted in a 16 TB data dump appearing on a Russian‑language forum, although another actor, GhostSec, later asserted ownership of that particular leak. These actions demonstrate a pattern of acquiring and subsequently releasing large volumes of confidential information rather than seeking financial gain through encryption or ransom demands.

Regarding tactics, the reported activity centers on data exfiltration and public disclosure; the actor has shared database tables, patient‑level test results and document collections, and has included ancillary files such as a README that referenced another Telegram‑based group, KelvinSecTeam. No specific malware families, initial‑access vectors or custom tooling are described in the sources, so further technical details remain unspecified. The actor’s affiliations with any state apparatus, criminal consortium or other hacking groups have not been established in the public record, and its motivations beyond the stated non‑ransomware stance are not detailed in the available material. The two highlighted incidents—the 2021‑09‑27 attack on Mexico’s Inmegen and the 2021‑09‑09 claim concerning SANSA—represent the primary campaigns for which verifiable information exists.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
2 sources