Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group, whereas Cobalt Mirage’s activities have been reported as TunnelVision and Phosphorus.

SecureWorks® Counter Threat Unit™ (CTU) researchers are investigating an Irani threat group known as the Cobalt Mirage group. This group first surfaced in June 2020 and is linked to another Irani threat group Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster.

The group primarily uses phishing campaigns to gain access to networks. Researchers suspect that the two groups are interconnected and might share access and tradecraft.

It is worth noting that previously, Charming Kitten was also accused of its involvement in some highly sophisticated social engineering attacks including bypassing Gmail and Yahoo’s 2FA (Two-Factor Authentication (2FA) in December 2018.

Furthermore, Charming Kitten was the talk of the town in March 2019 when Microsoft seized 99 websites used by Iranian hackers for large-scale phishing attacks. In July 2020, the same group exposed 40GB of videos exposing its entire modus operandi.

Cobalt Mirage Attack Tactics

Based on information obtained via incident response activities and public reporting, the researchers identified two clusters of Cobalt Mirage attacks, labeled Cluster A and Cluster

Read More: