Cobalt Mirage Uses Ransomware in APT to Target U.S. Organizations | WhoisXML API

Threat Reports

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

Cobalt Mirage, a well-known APT group, recently took a page out of cybercriminals’ modus operandi—using ransomware—to go after targets earlier this month.1 So far, only 11 domains and two IP addresses have been publicized as indicators of compromise (IoCs).2

In an effort to help organizations avoid becoming the next victims, we uncovered more artifacts, including:

  • A few unredacted registrant email addresses from the domain IoCs’ WHOIS records
  • 600+ domains that shared the domain IoCs’ registrant email addresses or IP address resolutions, a couple of which are considered malicious
  • Other potential IP hosts
  • 20,000+ domains that contained similar strings or string combinations as the domain IoCs, only two of which belonged to the mimicked companies (Microsoft or Symantec) and 7% were dubbed “malicious”

Download a sample of the threat research materials now or contact us to access the complete set of research materials.


  • [1]
  • [2]
Try our WhoisXML API for free
Get started