.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Iran
COBALT MYSTIQUE
Summary
COBALT MYSTIQUE conducts cyber espionage operations against individuals and organizations, including political groups and journalists, that are perceived as hostile to the Iranian regime. The group engages targets via the Telegram messaging service, tricking victims into running fake installers which deploy GramyPy, a custom backdoor malware which uses the Telegram Bot API for command and control. The unauthorized access is used to steal browser data and secrets, likely for intelligence gain or use in follow-on operations.
COBALT MYSTIQUE conducts hack-and-leak and destructive attacks which it amplifies using fake hacktivist personas for influence operations. These include the hacktivist persona "HomeLand Justice" used in disruptive hack and leak attacks against Albania beginning in July 2022, "Handala Hack" used in attacks primarily focused on Israel since 2023, and the "Karmabelow80" persona used in destructive wiper attacks against Israel beginning in 2024.
COBALT MYSTIQUE conducts hack-and-leak and destructive attacks which it amplifies using fake hacktivist personas for influence operations. These include the hacktivist persona "HomeLand Justice" used in disruptive hack and leak attacks against Albania beginning in July 2022, "Handala Hack" used in attacks primarily focused on Israel since 2023, and the "Karmabelow80" persona used in destructive wiper attacks against Israel beginning in 2024.
Contact us
Contact us directly whether your organization needs immediate assistance or
you want to discuss your incident readiness, response, and testing needs.