COBALT ULSTER

Since at least 2017, COBALT ULSTER has targeted various government, telecommunications, oil and gas, and education organizations in the Middle East, Central Asia, and North America. CTU researchers assess with moderate confidence that the COBALT ULSTER operates on behalf of Iran. The group uses macro-laden phishing documents, publicly available tools such as Metasploit and LaZagne and custom tools including PowerStats and Forelord. The threat actors inject false flags into code associated with their operations, likely to confuse security researchers who analyze artifacts related to COBALT ULSTER intrusions. COBALT ULSTER leverages compromised infrastructure for command and control. In late 2019/early 2020, CTU researchers observed COBALT ULSTER targeting non-governmental organizations (NGOs) and Middle Eastern governments using malware CTU researchers named FORELORD based on behavioral aspects of the malware's C2 communications.