Cobalt Group

The Cobalt Group, also tracked as TEMP.Metastrike, is a financially motivated cyber threat actor. It has been observed conducting spear phishing campaigns that primarily target financial institutions in Eastern Europe and Russia. The group masquerades as trusted financial partners or vendors to lure victims into opening malicious communications. These campaigns are designed to deliver malware that establishes a foothold within the victim’s network. The Cobalt Group’s activity has been linked to the deployment of reconnaissance backdoors and JavaScript‑based payloads. Its operations are motivated by monetary gain rather than espionage or ideological aims.

The malware used includes the CobInt/COOLPANTS backdoor and the JavaScript payload known as ‘more_eggs’. These tools achieve persistence by creating registry keys and employ RC4 encryption to conceal their communications. Command‑and‑control traffic is directed to infrastructure such as the domain rietumu[.]me. By maintaining covert access, the group can conduct reconnaissance and later execute actions that facilitate ATM fraud. The same access has also been exploited to breach SWIFT network components, leading to unauthorized fund transfers. Consequently, affected organisations have suffered significant financial losses attributed to the Cobalt Group’s intrusions.