Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using It

Note: This article was initially written by the QuoINT Team as part of QuoScient GmbH. Since the foundation of QuoIntelligence in March 2020, this article was transferred to the QuoIntelligence website on 21 April 2020.

Executive Summary

Over the last few years, QuoScient’s Intelligence Operations Team (QuoINT) has tracked activities attributed to the Cobalt group, and observed their notable evolution and continuously improving Tactics, Techniques, and Procedures (TTPs).


Cyber attribution is becoming increasingly challenging as threat actors frequently use false flag techniques and shared infrastructure to increase the resiliency of their operations against takedowns and law enforcement investigations. Especially for e-Crime actors, it is a common practice to rent the same bulletproof infrastructure or botnet used by other e-Crime groups, resulting in the increased likelihood for an overlap of C2 servers. In the last years, we have noted a tendency of threat actors outsourcing even more parts of the kill-chain to third parties by using/offering MaaS solutions. Figure 1 shows an example of such a network where multiple stakeholders are involved.

Built by operators for operators, QuoScient provides customers across all industries with its technology QuoLab & expertise against digital threats of all kinds