COBALT EDGEWATER

Since 2018, COBALT EDGEWATER has targeted organizations across the Middle East, focusing on Lebanon and the UAE. CTU analysis suggests the group may have also targeted organizations in Albania and Kuwait. The group operate their own malware platforms: AgentDrable and Karkoff. Karkoff implants are controlled via a command and control (C2) panel named Scarecrow, details of which were publicly leaked in April 2019. COBALT EDGEWATER uses DNS hijacking for credential capture and social media-based interactions for malware delivery to gain initial access to targets. Multiple COBALT EDGEWATER phishing emails purported to originate from academic institutes or included fraudulent job postings for energy and technology companies. CTU researchers have observed COBALT GYPSY displaying a similar preference for academia and job-themed lures. Infrastructure overlaps and tradecraft similarities suggest a connection between COBALT GYPSY, COBALT EDGEWATER and COBALT KATANA operations. CTU researchers assess with moderate confidence that COBALT EDGEWATER operates on behalf of Iran.