Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
8 malware families

ExCobalt

Also known asExCobalt

ExCobalt is a threat actor conducting campaigns against Russian organizations. Reported targeting includes Russian entities broadly, and the activity has been described as affecting Russian organizations through exploitation of known security flaws and the use of credentials stolen from contractors to obtain initial access. Positive Technologies described ExCobalt as one of the most dangerous groups attacking Russian entities. Observed ExCobalt-associated activity includes attempts to steal Telegram credentials and message history from compromised hosts, theft of Outlook Web Access credentials via malicious code injected into the login page, and use of the CobInt backdoor. Associated tooling and payloads include lockers such as Babuk and LockBit, the PUMAKIT kernel rootkit for privilege escalation and stealth, and the Rust-based Octopus toolkit for privilege elevation on compromised Linux systems. Positive Technologies reported that ExCobalt shifted initial access from exploiting 1-day vulnerabilities in internet-exposed corporate services such as Microsoft Exchange to penetrating primary targets through contractors. The content also states that Shedding Zmiy is a group associated with the (Ex)Cobalt activity cluster, indicating a relationship between Shedding Zmiy and ExCobalt. The alias directly provided in the source is "excobalt."

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇷🇺 Russia
MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078×3
Valid Accounts
T1189
Drive-by Compromise
T1190×2
Exploit Public-Facing Application
TA0003
Persistence
1 technique
T1078×3
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×3
Valid Accounts
TA0005
Stealth
3 techniques
T1014
Rootkit
T1078×3
Valid Accounts
T1564
Hide Artifacts
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.003
Web Portal Capture
TA0009
Collection
1 technique
T1056
Input Capture
T1056.003
Web Portal Capture
ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BabukLockers such as Babuk and LockBit.1Mar 8, 2026
CobInt...attempts to siphon Telegram credentials... and Outlook Web Access credentials... - CobInt, a known backdoor used by the group.1Mar 8, 2026
Facefish...prior iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023).1Mar 8, 2026
Kitsune...prior iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023). The use of Kitsune was also linked to a threat cluster known as Sneaky Wolf...1Mar 8, 2026
LockBitLockers such as Babuk and LockBit.1Mar 8, 2026

3 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
securelistNews
May 21, 2026
Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

Activity cluster whose members may be participating in overlapping campaigns targeting Russian organizations; associated here through Shedding Zmiy and shared tooling/infrastructure patterns.

Read more
scworldNews
Feb 10, 2026
Bloody Wolf targets Uzbekistan and Russia with NetSupport RAT | SC Media

Campaigns targeting Russian organizations using exploitation of known vulnerabilities and use of stolen credentials.

Read more
the hacker newsNews
Feb 9, 2026
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Targets Russian organizations; gains initial access by exploiting known vulnerabilities and using contractor-stolen credentials; conducts credential theft (Telegram/OWA) and uses a mix of backdoors, rootkits, and ransomware lockers.

Read more
the hacker newsNews
Feb 9, 2026
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Targets Russian organizations; gains initial access via exploitation of known vulnerabilities and use of contractor-stolen credentials; conducts credential theft (Telegram and OWA) and uses a mix of backdoors, rootkits, and ransomware lockers.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.