HOMETHREATSCold$eal
APT / THREAT GROUP

Cold$eal

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal).

It was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload.

Note: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.

Threat Analysis

Cold$eal is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

win.coldsealColdSealCold$eal

External Intelligence

Malpedia: win.coldseal

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Cold$eal — APT / Threat Group | Threat Intelligence | CTIWATCH.COM