COBALT MIRAGE

Operating since at least June 2020, COBALT MIRAGE prepares and delivers ransomware attacks using BitLocker and DiskCryptor to encrypt systems. While the group's attacks to do not appear to have commenced until early 2021, infrastructure created in support of the activity dates back to June 2020.

COBALT MIRAGE has demonstrated a preference for attacking organizations in Israel, the U.S., Europe, and Australia, deploying ransomware for financial gain. Aspects of their activity have also included intelligence collection.

COBALT MIRAGE appear opportunistic in their targeting, obtaining initial access via scan-and-exploit activity. In 2021 the group conducted a broad scan-and-exploit campaign targeting Fortinet FortiOS vulnerabilities. From late September 2021, the group conducted a broad scan-and-exploit campaign targeting Microsoft Exchange servers. The threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.

CTU researchers have uncovered evidence linking COBALT MIRAGE to two Iranian companies: Najee Technology (aka Secnerd) and Afkar System. In September 2022 indictments from the US Department of Justice and sanctions from the US Treasury confirmed the connection between employees of these companies and COBALT MIRAGE ransomware attacks. The sanctions document stated that the companies and individuals were affiliated with Islamic Revolutionary Guard Corps (IRGC).

CTU researchers have observed indications of links between COBALT MIRAGE and COBALT ILLUSION’s phishing and access operations.