CosmicBeetle attacks European organizations 

B2B Cyber ​​Security ShortNews

Share post

The hacker group CosmicBeetle attacks organizations worldwide, especially European ones. The group uses the Spacecolon toolset to spread ransomware among its victims and extort ransoms.

The attackers exploit the zero-logon vulnerability in web servers for their attacks. Alternatively, hackers resort to classic brute force attacks on RDP credentials to break into organizations. Spacecolon has been active since at least May 2020 until today.

CosmicBeetle also operates globally

ESET specialists were able to track CosmicBeetle and its tools worldwide. Countries in the European Union, such as Spain, France, Belgium, Poland and Hungary, are particularly affected. Outside the EU, organizations in Mexico and Turkey are particularly targeted.

“How the hacker group selects its victims remains unclear. There are neither areas of focus nor similarities in the size of the targets: a hospital and resort in Thailand, an insurance company in Israel, a local government facility in Poland, an entertainment provider in Brazil, an environmental company in Turkey and a school in Mexico,” says ESET Researcher Jakub Souček, author of the analysis. Spacecolon's program code contains many Turkish character strings. ESET therefore assumes that the developers are of Turkish origin.

How does CosmicBeetle do it?

After hackers compromise a web server, they download and run additional tools on their victims' computers. In addition to ransomware, this also includes other third-party tools: These enable attackers to deactivate security products, extract critical information and gain expanded access via backdoors for particularly worthwhile targets.

In some cases, ransomware that uses ClipBanker is also used. This is a type of malware that monitors the contents of the clipboard. If it finds content that is a crypto wallet address, it inserts an address controlled by the attacker. The hacking group makes no significant effort to hide its malware. It leaves behind numerous artifacts on compromised systems.

New ransomware is in the works

CosmicBeetle is also preparing to distribute a new ransomware family called ScRansom. ESET Research assumes that Cosmic Beetle is behind the development. This ransomware attempts to encrypt all hard drives, removable storage devices and remote drives. However, she has not yet been observed in action. The specialists therefore suspect that it is still in the development phase.

More at


About ESET

ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit or follow us on LinkedIn, Facebook and Twitter.


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more