COBALT MYSTIQUE

COBALT MYSTIQUE conducts cyber espionage operations against individuals and organizations, including political groups and journalists, which are perceived as hostile to the Iranian regime. The group engages targets via the Telegram messaging service, tricking victims into running fake installers which deploy GramyPy, a custom backdoor malware which uses the Telegram Bot API for command and control. The unauthorized access is used to steal browser data and secrets, likely for intelligence gain or use in follow-on operations.

Third-party reporting has linked COBALT MYSTIQUE to destructive wiper operations which combine fake hacktivist personas and influence operations. These include the hacktivist persona "HomeLand Justice" used in disruptive hack and leak attacks against Albania beginning in July 2022, and the "Karmabelow80" persona used in destructive wiper attacks against Israel beginning in 2024.