COBALT SMOKEY

Active since September 2021, COBALT SMOKEY is an espionage-focused Iranian threat group that targets aviation, aerospace, telecommunications, defense and information technology entities in the Middle East and Europe. The group uses employment-themed social engineering attacks and custom malware to gain access to organizations and information of strategic interest to Iran.

Using fake recruiter personas, COBALT SMOKEY approaches employees at target organizations with fake job opportunities at well-known companies. The group provides custom malware packages disguised as HR or job portal applications. Victim endpoints are infected with implants that allow collection and exfiltration of sensitive files, C2 communications, and remote code execution.

COBALT SMOKEY activity overlaps with attacks attributed in third party reporting to TA455, Smoke Sandstorm, UNC5149, and Subtle Snail.