Click on screenshot to zoom
Danger level 6
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Shows commercial adverts
  • Connects to the internet without permission
  • Installs itself without permissions


Cobalt is a malicious Trojan that seems to be targeted at Microsoft Office users in Russia. If this infection gains access to the operating system, cyber criminals using it can take over the control and initiate all kinds of malicious processes. Unfortunately, the infection is pretty much silent when it comes in, and the victim is unlikely to notice it right away. In fact, it is most likely that the infection would be discovered only if the operating system was scanned using a trustworthy malware scanner that is up-to-date and can recognize the Trojan. Without a doubt, this malicious threat must be deleted immediately because any user facing it is at great risk. In this report, we discuss the entrance of the malicious threat, its activity and, of course, its elimination. If you cannot wait to remove Cobalt, at least read the final portion of this report before you follow the instructions. If you can spare a few minutes, continue reading to learn everything you need to know.

It was discovered that the devious Cobalt Trojan is successfully spread by exploiting a vulnerability that is identified by the code CVE-2017-11882. This is a vulnerability in the Microsoft Office software, and it was patched by Microsoft technicians in November 2017. The surprising thing is that the issue existed for 17 years before being discovered. Although a patch was released right away, and users should have been notified about the necessary security update, not all users are quick to install them, and others, downright ignore them. Cyber criminals, of course, prey on these careless users, and it was found that they have been exploiting the vulnerability by employing a spam email attack. The email is allegedly sent by VISA to inform users about changes regarding the well-known payWave service. The message is represented in Russian, which is why it is assumed that the Trojan targets those in Russia. If you receive a spam email with that kind of message, you should remove it without any hesitation. If you end up interacting with it, you will need to delete Cobalt.

The misleading spam email associated with the Cobalt Trojan adds two attachments. One of them is a document file named Изменения в системе безопасности.doc Visa payWave.doc, and the other one is an archive with the same name. This archive is password-protected, and so you cannot access it. If you choose to open the document file, you are shown a document with two words in it: “Enable editing.” Even if you close the document, a PowerShell script is loaded and Cobalt Strike is downloaded without one’s notice. The script is saved as {random characters}.ps1 under %AppData%, and it loads Cobalt into memory. Unfortunately, this allows cyber criminals to act without the user’s notice, and all kinds of actions could be initiated. The actors behind the infection could take full control of your operating system, and this could be used to download differently-functioning malware, steal data, open up security backdoors, hijack your online accounts, etc. Needless to say, every second is important in this situation, and the sooner you delete the infection, the fewer problems you are likely to encounter.

The patch for the Microsoft Office vulnerability linked to the Cobalt Trojan has been created, and users who download security updates in time are safe. Those who do not are at risk of facing the malicious Trojan. Having this clandestine infection running wild on the computer is extremely dangerous, and so it is strongly recommended that users inspect their operating systems right away to make sure that it is not hidden. This threat does not have an interface, and you cannot see it, and so using a malware scanner is the best thing you can do. You can also check for a .PS1 file in the %AppData% directory to check if the Trojan exists. Can you delete Cobalt manually? Some users will certainly be able to do that, but, considering that other infections might have been downloaded too, you should think about employing anti-malware software. It will simultaneously erase all threats that are active on your operating system. Afterward, it will keep up your system’s protection. If you take care of that and you do not skip system updates, you should evade other clandestine threats in the future.

Cobalt Removal

  1. Simultaneously tap Win+E keys on the keyboard to launch Explorer.
  2. Enter %APPDATA% into the bar at the top.
  3. Right-click and Delete the {random characters}.ps1 file.
  4. Empty Recycle Bin to eliminate the malicious file completely.
  5. Install a trusted, up-to-date malware scanner to inspect your system for malware leftovers.
  6. Install the latest security updates.
Download Spyware Removal Tool to Remove* Cobalt
  • Quick & tested solution for Cobalt removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.