A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed “Drokbk” to attack a variety of US organizations, using GitHub as a “dead-drop resolver.”