Cobalt Bank Robbers Use New ThreadKit Malicious Doc Builder

The Cobalt hacking group specialized in breaching the networks financial institutions and banks is now using a new variant of the ThreadKit exploit builder kit for Microsoft Office documents.

Observed in a campaign on October 30, the new tactics show an evolution of the ThreadKit macro delivery tool. The final payload downloaded this way is the CobInt, a signature malware for the Cobalt group. The exploit building framework was first noticed in October 2017, although it had been used in campaigns as early as June that year leveraging CVE-2017-0199 that had exploit code publicly available.

Read more about the new Cobalt hacking campaign on BleepingComputer.