Introduction
ExCobalt is an APT group that has been active since at least 2016 and is believed to be linked to the notorious Cobalt Gang. The group primarily targets Russian organizations across sectors—including metallurgy, telecommunications, mining, information technology, government, and software development by exploiting supply chain weaknesses and compromised contractors for initial access. ExCobalt’s toolkit features a custom Golang‑based backdoor, GoRed, which enables remote command execution, credential harvesting, and detailed system reconnaissance, while the group also employs established tools such as Spark RAT, Mimikatz, and multiple Linux privilege escalation exploits. Researchers note that ExCobalt continually evolves its tactics and even modifies standard utilities to bypass security controls and maintain persistent access, underscoring its commitment to sophisticated cyberespionage and data theft operations.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- RemoteCMD
- CyberGate
- Cyber Eye RAT
- Remote Utilities
- RemotePC
- Xploit
- Archelaus Beta
- Cobalt Strike
- CrossRat
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.