Skip to content

S0646 SpicyOmelette

SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.1

Item Value
ID S0646
Associated Names
Version 1.0
Created 21 September 2021
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.007 JavaScript SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.1
enterprise T1005 Data from Local System SpicyOmelette has collected data and other information from a compromised host.1
enterprise T1105 Ingress Tool Transfer SpicyOmelette can download malicious files from threat actor controlled AWS URL’s.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.1
enterprise T1018 Remote System Discovery SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.1
enterprise T1518 Software Discovery SpicyOmelette can enumerate running software on a targeted system.1
enterprise T1518.001 Security Software Discovery SpicyOmelette can check for the presence of 29 different antivirus tools.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing SpicyOmelette has been signed with valid digital certificates.1
enterprise T1082 System Information Discovery SpicyOmelette can identify the system name of a compromised host.1
enterprise T1016 System Network Configuration Discovery SpicyOmelette can identify the IP of a compromised system.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link SpicyOmelette has been executed through malicious links within spearphishing emails.1

Groups That Use This Software

ID Name References
G0080 Cobalt Group 1