iran

COBALT ILLUSION

Objectives

Espionage, Surveillance

Aliases

APT35 (Mandiant), Newscaster (iSight), NewsBeef (Kaspersky), Charming Kitten (CrowdStrike), PHOSPHORUS sub-group (Microsoft), Magic Hound (Palo Alto), TA453 (Proofpoint), APT42 (Mandiant), Yellow Garuda (PwC), UNC788 (Mandiant), ITG18 (IBM), Mint Sandstorm sub-group (Microsoft), CharmingCypress (Volexity)

Tools

Browser Exploitation Framework (BeEF), PupyRAT, MagicHound Toolset

SUMMARY

Since at least 2011, COBALT ILLUSION has targeted a broad range of individuals and verticals with fake social media personas, phishing and strategic web compromise operations. CTU researchers assess with moderate confidence that COBALT ILLUSION operates on behalf of Iran with the intent to conduct espionage and the surveillance of individuals of interest to their sponsor. The group conducts extensive phishing campaigns, spoofing common webmail services such as Gmail and Yahoo or approaching targets via a network of fake social media personas. Phishing landing pages are often pre-populated with the target's name and image to provide credibility to the phishing page. Some campaigns use URL shortening services to hide the phishing domain in the initial phishing message. COBALT ILLUSION also conducts news media and recruitment themed campaigns, deploying open source security tools, including The Browser Exploitation Framework (BeEF) and PupyRAT, to fake websites they have created or legitimate websites they have compromised.

Operational mistakes have allowed researchers visibility into phishing kits and targeting databases used by COBALT ILLUSION, providing valuable insights into the group's operations. Several online and real world identities have been linked to COBALT ILLUSION activity including Behzad Mesri, indicted by the FBI in 2019 on multiple charges and described as operating at the behest of the Islamic Revolutionary Guard Corps (IRGC).

The threat actors behind COBALT ILLUSION may operate as a set of loosely coupled contractors, directed by a sponsor organisation, resulting in personal preference-based variations in the TTPs used across COBALT ILLUSION operations. Relational patterns between these operations may only become visible over an extended period of time. Aspects of COBALT ILLUSION operations had previously been reported as associated with COBALT GYPSY, these have since been reassessed. Individuals within the COBALT ILLUSION group are suspected of conducting their own "side-operations" from time to time, further confusing the intelligence picture.

Blog

COBALT DICKENS Goes Back to School…Again

Report

Threat Intelligence Report 2023, Volume 3

Contact Us

Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.