Threats Feed|COBALT DICKENS|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date11/09/2019

COBALT DICKENS Targets Global Universities in Persistent Phishing Campaign

  • Actor Motivations: Exfiltration,Financial Gain
  • Attack Vectors: Compromised Credentials,Phishing
  • Attack Complexity: Low
  • Threat Risk: Low Impact/High Probability

Threat Overview

COBALT DICKENS, linked to Iran's Mabna Institute, continues to launch large-scale phishing campaigns targeting universities around the world. In July and August 2019, the group launched a global operation that compromised more than 60 universities in the US, UK, Australia, Canada, Hong Kong and Switzerland. Using spoofed login pages for library resources, they stole login credentials through phishing emails. The attackers registered domains using free TLDs and used legitimate SSL certificates to make their phishing infrastructure more convincing. Despite multiple takedowns and indictments, COBALT DICKENS remains active, targeting over 380 universities in more than 30 countries and using free tools and public services to maintain its operations.

Reference and Credit: Secureworks - September 2019

COBALT DICKENS Goes Back to School…Again

Detected Targets

TypeDescriptionConfidence
SectorUniversity
Verified
RegionAustralia
Verified
RegionCanada
Verified
RegionHong Kong
Verified
RegionSwitzerland
Verified
RegionUnited Kingdom
Verified
RegionUnited States
Verified

Extracted IOCs

  • 1edu[.]in
  • aill[.]cf
  • aill[.]nl
  • anvc[.]me
  • atna[.]cf
  • atti[.]cf
  • azll[.]cf
  • azlll[.]cf
  • aztt[.]tk
  • blibo[.]ga
  • cave[.]gq
  • ccli[.]cf
  • cill[.]ml
  • clll[.]nl
  • clll[.]tk
  • cnen[.]cf
  • cnma[.]cf
  • cntt[.]cf
  • crll[.]tk
  • csll[.]cf
  • ctll[.]tk
  • cvnc[.]ga
  • cvve[.]cf
  • czll[.]tk
  • cztt[.]tk
  • ebookfafa[.]com
  • eduv[.]icu
  • eill[.]cf
  • eill[.]ga
  • eill[.]nl
  • e-library[.]me
  • elll[.]cf
  • etll[.]cf
  • euca[.]cf
  • euce[.]in
  • ezll[.]tk
  • ezplog[.]in
  • ezproxy[.]tk
  • eztt[.]tk
  • fill[.]cf
  • flil[.]cf
  • flll[.]cf
  • iell[.]tk
  • illl[.]cf
  • ills[.]cf
  • iull[.]tk
  • izll[.]tk
  • jhbn[.]me
  • jlll[.]cf
  • lett[.]cf
  • lib1[.]bid
  • lib1[.]pw
  • liba[.]gq
  • libb[.]ga
  • libe[.]ga
  • libe[.]ml
  • libf[.]ga
  • libg[.]cf
  • libg[.]ga
  • libg[.]gq
  • libg[.]tk
  • libk[.]ga
  • libloan[.]xyz
  • libm[.]ga
  • libnicinfo[.]xyz
  • librarylog[.]in
  • libraryme[.]ir
  • lib-service[.]com
  • libt[.]ga
  • libt[.]ml
  • libu[.]gq
  • libver[.]ml
  • lill[.]gq
  • lill[.]pro
  • llbt[.]tk
  • llib[.]cf
  • llib[.]ga
  • llic[.]cf
  • llic[.]tk
  • llii[.]cf
  • llii[.]xyz
  • llil[.]cf
  • llil[.]nl
  • llit[.]cf
  • llit[.]site
  • lliv[.]nl
  • lliv[.]tk
  • lllf[.]nl
  • lllib[.]cf
  • llli[.]nl
  • llse[.]cf
  • lzll[.]cf
  • mlib[.]cf
  • mlibo[.]ml
  • ncll[.]tk
  • ncnc[.]cf
  • nctt[.]tk
  • necr[.]ga
  • nicn[.]gq
  • nika[.]ga
  • nimc[.]cf
  • nimc[.]ga
  • nimc[.]ml
  • nlll[.]cf
  • nsae[.]ml
  • ntll[.]tk
  • nuec[.]cf
  • nuec[.]ml
  • rill[.]cf
  • rnva[.]cf
  • rtll[.]tk
  • savantaz[.]cf
  • sctt[.]cf
  • shibboleth[.]link
  • sitl[.]tk
  • slli[.]cf
  • stll[.]tk
  • till[.]cf
  • titt[.]cf
  • tlll[.]cf
  • tsll[.]cf
  • ttil[.]nl
  • uill[.]cf
  • uitt[.]tk
  • ulibe[.]ml
  • ulibr[.]ga
  • ulll[.]cf
  • ulll[.]tk
  • umlib[.]ml
  • umll[.]tk
  • uncr[.]me
  • unie[.]ga
  • unie[.]gq
  • unie[.]ml
  • uni-lb[.]com
  • unin[.]icu
  • unip[.]cf
  • unip[.]ga
  • unip[.]gq
  • unip[.]ml
  • unir[.]cf
  • unir[.]ga
  • unir[.]gq
  • unir[.]ml
  • unisv[.]xyz
  • univ[.]red
  • unll[.]tk
  • untc[.]ir
  • untc[.]me
  • untf[.]me
  • unts[.]me
  • unvc[.]me
  • utll[.]tk
  • vsre[.]cf
  • vtll[.]cf
  • web2lib[.]info
  • xill[.]tk
  • zedviros[.]ir
  • zill[.]cf
download

Tip: 159 related IOCs (0 IP, 159 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

Overlaps

TA407TA407’s Phishing Campaigns Continue Targeting Universities Globally

Source: Proofpoint - October 2019

Detection (38 cases): aill[.]nl, azll[.]cf, blibo[.]ga, cill[.]ml, clll[.]tk, cnen[.]cf, cvve[.]cf, eill[.]cf, eill[.]ga, eill[.]nl, elll[.]cf, fill[.]cf, flil[.]cf, flll[.]cf, illl[.]cf, ills[.]cf, jlll[.]cf, liba[.]gq, libb[.]ga, libe[.]ga, libf[.]ga, libk[.]ga, libm[.]ga, libt[.]ga, libver[.]ml, llii[.]xyz, llit[.]cf, llli[.]nl, lllib[.]cf, lzll[.]cf, mlibo[.]ml, nlll[.]cf, ntll[.]tk, nuec[.]cf, stll[.]tk, tlll[.]cf, ulll[.]tk, vtll[.]cf

COBALT DICKENSCOBALT DICKENS Phishing Campaign Targets Global Universities for Credential Theft

Source: Secureworks - August 2018

Detection (21 cases): anvc[.]me, ebookfafa[.]com, eduv[.]icu, jhbn[.]me, lib-service[.]com, nimc[.]cf, uncr[.]me, unie[.]ga, unie[.]ml, unin[.]icu, unip[.]cf, unip[.]gq, unir[.]cf, unir[.]gq, unir[.]ml, unisv[.]xyz, univ[.]red, untc[.]me, untf[.]me, unts[.]me, unvc[.]me

Silent LibrarianSilent Librarian: Iranian Group Targets Global Universities and Research Institutions

Source: Phishlabs - March 2018

Detection (two cases): nsae[.]ml, ulibr[.]ga

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
COBALT DICKENS
An Iranian threat group, believed to be associated with the Iranian government. They are responsible for the phishing campaigns targeting university credentials and intellectual property. They have been active since at least 2013. Known for using spoofed login pages and domains.
View COBALT DICKENS's Insights