COBALT JUNO  (Back to overview)

aka: APT-C-38 (QiAnXin), SABER LION, TG-2884 (SCWX CTU)

COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.

Associated Families

There are currently no families associated with this actor.

@online{secureworks:2020:cobalt:21b0d20, author = {SecureWorks}, title = {{COBALT JUNO}}, date = {2020}, organization = {Secureworks}, url = {}, language = {English}, urldate = {2020-05-23} } COBALT JUNO

Credits: MISP Project