COBALT HICKMAN

COBALT HICKMAN has been active since at least 2014 and possibly as early as 2011. In the past, the group primarily targeted Iranian domestic citizens, the wider Iranian diaspora, telecommunications and travel verticals. In 2018, CTU researchers observed COBALT HICKMAN creating spoofed airline, telecommunication, and travel system provider domains to lure targets. The threat actors use phishing techniques to compromise credentials or to install the modular Remexi malware. CTU researchers discovered new infrastructure in early 2019, suggesting that COBALT HICKMAN remains active. The threat group continues its focus on the telecommunications and travel verticals, which CTU researchers assess with moderate confidence is for the purposes of surveillance operations on individuals and organizations of interest to the Iranian government.