COBALT LYCEUM

CTU researchers discovered the COBALT LYCEUM threat group in mid-2019 and determined that it has been active since at least 2018. The group is assessed with moderate confidence to operate on behalf of Iran, with a relatively small scope of operations in comparison to other Iranian groups. Known targets include critical infrastructure organizations, such as telecommunications, oil and gas companies as well as government entities. In 2021 targeting expanded to include IT services and technology.

The threat actors have used malicious Excel files with the DanDrop macro to deliver the unsophisticated DanBot first-stage malware, which deploys post-intrusion tools taken from public code repositories.

A mid-2018 COBALT LYCEUM campaign focused on South African targets. In February 2019, the threat actors shifted their focus to Kuwait following a period of testing and development. In 2020 targeting included Government entities in Tunisia and in 2021 focused shifted to include the technology sector in Israel.

COBALT LYCEUM’s targeting, tactics, and development style are similar to those of COBALT GYPSY along with the use of RGDoor, an IIS backdoor previously only associated with COBALT GYPSY. Document metadata anomalies suggest that the malware developer may work natively in an Arabic or Persian script. In 2021 they developed and deployed new malware families MilanRAT and SharkWork RAT.