SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]

ID: S0646
Platforms: Windows
Version: 1.0
Created: 21 September 2021
Last Modified: 18 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.[1]

Enterprise T1005 Data from Local System

SpicyOmelette has collected data and other information from a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.[1]

Enterprise T1018 Remote System Discovery

SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.[1]

Enterprise T1518 Software Discovery

SpicyOmelette can enumerate running software on a targeted system.[1]

.001 Security Software Discovery

SpicyOmelette can check for the presence of 29 different antivirus tools.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

SpicyOmelette has been signed with valid digital certificates.[1]

Enterprise T1082 System Information Discovery

SpicyOmelette can identify the system name of a compromised host.[1]

Enterprise T1016 System Network Configuration Discovery

SpicyOmelette can identify the IP of a compromised system.[1]

Enterprise T1204 .001 User Execution: Malicious Link

SpicyOmelette has been executed through malicious links within spearphishing emails.[1]

Groups That Use This Software

ID Name References
G0080 Cobalt Group