After further investigation, the macro builder, as well as the PDF template analyzed through this research, have been observed in attacks associated to multiple groups. One commonality on the analysis is that all the groups observed until now are mainly targeting finance related institutions. Despite part of the activity analyzed can be associated to known Cobalt Gang tactics and infrastructure, it’s not the only actor making use of the toolsets. Apart from Cobalt Gang, there are several financially motivated threat actors behind the infrastructure linked to this analysis. This suggests that the toolsets and possible part of the delivery infrastructure are sold/shared in black markets to very specific actor profiles.

https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/