iranCOBALT GYPSY
Objectives
Aliases
Tools
SUMMARY
COBALT GYPSY has been active since at least 2015, targeting MENA-based or affiliated organizations in the telecommunications, government, defense, oil and financial services verticals. CTU researchers assess with moderate confidence that COBALT GYPSY operates on behalf of Iran. The group often uses spearphishing, with academic or employment related themes, to infect targets, many of whom are identified and approached via social media sites. COBALT GYPSY also performs broad phishing operations against global government, energy, oil/gas, aviation, and nuclear organizations, as well as against defense contractors.
The group has deployed a range of custom remote access trojans (Helminth, Toxocara, Trichuris) and webshells (TwoFace, ThreeDollars). CTU researchers track a number of related but distinct groups with tradecraft or infrastructure similarities to COBALT GYPSY. These groups include COBALT ALPINE, COBALT EDGEWATER, COBALT KATANA, COBALT LYCEUM and COBALT AGORA.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.