Cyber Threat Actor: Cosmu
| Actor Type | Location | Known Incidents |
Hacker
|
North Macedonia
|
1 incident |
|---|
Profile
Cosmu is a threat actor known bythe alias Cosmu and is associated with North Macedonia, where the actor’s location has been identified. The only publicly documented activity attributed to Cosmu occurred on May 10 2020, when the actor compromised the Ministry of Economy and Finance of North Macedonia, resulting in the exposure of email addresses and passwords for public institution staffers. During the same incident, officials reported service disruptions and noted that key sections of Skopje’s local government website became inaccessible, highlighting an impact on both data confidentiality and system availability.
Based on the confirmed incident, Cosmu’s observed targeting has been limited to government institutions within North Macedonia, specifically affecting a national ministry and a municipal web presence. The outcome of the operation included the leakage of credential data and the interruption of online services, indicating that the actor’s actions compromised the confidentiality of sensitive information and disrupted the availability of public‑facing resources. No explicit statements regarding financial gain, espionage motives, or other strategic objectives have been made public, so any interpretation of intent would be speculative and is therefore omitted.
The technical details of the compromise have not been disclosed in the available sources; consequently, specific malware families, initial‑access vectors, or tooling styles used by Cosmu remain unknown. The public reporting only notes that the actor succeeded in obtaining credential dumps and causing website inaccessibility, without describing the methods employed to achieve those results.
Attribution of Cosmu to any state sponsor, criminal consortium, or other affiliations has not been established in open‑source reporting, and no public statements link the actor to a particular group or nation‑state. As a result, the actor’s affiliations and any broader campaign history beyond the May 2020 incident remain undetermined based on the currently available information.