COBALT TRINITY

COBALT TRINITY has been active since at least 2015 and CTU researchers assess with moderate confidence that the group operates on behalf of Iran. Known targets include U.S., UK, and Middle Eastern organizations in the government, defense, aerospace, legal, oil and gas, and energy verticals. However, broad campaigns have also been conducted that cut across multiple verticals. COBALT TRINITY has been observed using publicly available tools such as NanoCore, NetWire, PupyRAT, PoshC2, and Koadic. The threat group also uses a selection of custom tools such as Powerton, Dello RAT, AutoCore, KDALogger, and PoyLog.

In 2019, COBALT TRINITY was tentatively linked to the 2018 Middle Eastern Shamoon activity. The threat actors perform password-spraying attacks against a broad swath of companies and individuals and use a playbook when spearphishing intended targets. Between 2017 and 2019, CTU researchers observed multiple COBALT TRINITY campaigns using job-themed spearphishing to initiate a multi-staged PowerShell-based infection chain to deploy custom and publicly available RATs. The group’s objective appears to be gathering intelligence for military, political, and economic advantage. Broad password spraying is a favored tactic to obtain initial access, with organizations repeatedly targeted once they make it onto COBALT TRINITY's radar.