Cyber Threat Actor: Cookies called Captain Smoker 3R

The threat actor operating under the alias Captain Smoker 3R, also referred to as Cookies, has been linked to a single publicly reported incident targeting a government entity within Nepal. The available evidence places this activity in Sudurpaschim Province, where the actor compromised the official website of the Office of the Chief Minister and Council of Ministers. The primary action taken was a website defacement, where the actor displayed an unauthorized message claiming responsibility for the breach. This incident represents the only confirmed operation attributed to this identity in the provided material, establishing a very narrow operational footprint focused on a specific provincial government portal in Nepal. No other sectors, regions, or types of organizations have been identified as targets based on the given information. The strategic objective appears to be disruption and public messaging through website defacement, as the summary explicitly notes the portal was rendered inaccessible and no additional operational disruptions or data compromises were reported beyond the unauthorized access and visual alteration of the site.

The technical details of the intrusion are not elaborated upon in the source material; there is no mention of specific malware families, initial access vectors such as phishing or exploitation, or particular tools and techniques employed by the actor. Consequently, any discussion of Tactics, Techniques, and Procedures (TTPs) would be speculative and is omitted. Similarly, there is no publicly established information regarding any state sponsorship, affiliation with a criminal consortium, or connections to other threat groups. The actor's identity remains isolated to this single defacement claim. The reported operation on July 5, 2024, involved the actor identifying as Captain Smoker 3R. Following the breach, the provincial office notified Kathmandu's Department of Information Technology and commenced recovery efforts, though the website remained down the subsequent day. This incident stands as the sole representative example of activity associated with this alias, providing a limited but concrete data point for understanding this threat actor's minimal known capabilities and targeting preferences.