Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 5 actorsExploits 1 CVE

CobInt

CobInt is a backdoor/loader used in intrusions targeting Russian organizations. The provided reporting links its use to multiple threat clusters, including Twelve, Head Mare, Crypt Ghouls, and ExCobalt/Shedding Zmiy-related activity. It has been used for remote access to domain controllers and as a follow-on exploitation tool in campaigns against Russian companies, government agencies, and sectors including manufacturing, energy, mining, finance, retail, and other state and private-sector entities.

Observed delivery and execution chains include a VBScript downloader/loader named Intellpui.vbs that executes obfuscated PowerShell to load CobInt into memory from a command-and-control server, and another loader chain using mcdrive.vbs and mcdrive.ps1, where mcdrive.ps1 acted as a CobInt loader contacting the C2 domain 360nvidia[.]com. In one incident, attackers exploited CVE-2021-26855 (ProxyLogon) on Microsoft Exchange Server to download and launch CobInt. Reporting also states CobInt connected to a command-and-control domain resolving to 45.156.27[.]115.

High-confidence indicators and artifacts directly mentioned in the content include Intellpui.vbs, mcdrive.vbs, mcdrive.ps1, the domain 360nvidia[.]com, and infrastructure resolving to 45.156.27[.]115. CobInt is specifically described as a known backdoor used by ExCobalt and as malware previously observed only in Twelve’s attacks before later use by Head Mare and Crypt Ghouls, making it a notable overlap point between these Russia-focused intrusion sets.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerExploited in the wild

In one incident, they exploited the Microsoft Exchange server vulnerability CVE-2021-26855 (ProxyLogon). Although patched in 2021, this vulnerability is still exploitable due to organizations using outdated operating systems and software. The attackers used ProxyLogon to execute a command to download and launch CobInt on the server. | For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies.

via securelistsecurelist.com
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Head Mare

For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies.

via securelistsecurelist.com
Twelve

For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies.

via securelistsecurelist.com
Crypt Ghouls

In one Crypt Ghouls attack, we discovered a malicious CobInt backdoor loader.

via securelistsecurelist.com
Shedding Zmiy

In one Crypt Ghouls attack, we discovered a malicious CobInt backdoor loader.

via securelistsecurelist.com
ExCobalt

...attempts to siphon Telegram credentials... and Outlook Web Access credentials... - CobInt, a known backdoor used by the group.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1078Valid AccountsEvidence2

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

T1189Drive-by CompromiseEvidence1

"...Outlook Web Access credentials by injecting malicious code into the login page..."

T1190Exploit Public-Facing ApplicationEvidence2

The attackers also exploited software vulnerabilities... In one incident, they exploited the Microsoft Exchange server vulnerability CVE-2021-26855 (ProxyLogon)... The attackers used ProxyLogon to execute a command to download and launch CobInt on the server.

Execution

2 techniques
T1059.001PowerShellEvidence2

This code, in turn, communicates with a C2 server to load the CobInt backdoor into memory.

T1059.005Visual BasicEvidence2

The VBS file is an obfuscated Visual Basic script that creates an ActiveX object reference named WScript.Shell and uses its Run() function to execute an obfuscated command line.

Persistence

2 techniques
T1078Valid AccountsEvidence2

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

T1547.001Registry Run Keys / Startup FolderEvidence1

using reg.exe, the attackers added an autorun entry to execute mcdrive.vbs with the interpreter wscript.exe. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ...

Privilege Escalation

2 techniques
T1078Valid AccountsEvidence2

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

T1547.001Registry Run Keys / Startup FolderEvidence1

using reg.exe, the attackers added an autorun entry to execute mcdrive.vbs with the interpreter wscript.exe. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ...

Stealth

1 technique
T1078Valid AccountsEvidence2

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

Credential Access

1 technique
T1056.003Web Portal CaptureEvidence1

"...siphon... Outlook Web Access credentials by injecting malicious code into the login page..."

Collection

1 technique
T1056.003Web Portal CaptureEvidence1

"...siphon... Outlook Web Access credentials by injecting malicious code into the login page..."

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

Upon launch, it connected to the C2 server, allowing the operator to execute commands on the compromised host... Cloudflared tunnels traffic through the Cloudflare network.

T1105Ingress Tool TransferEvidence1

After exploiting the business automation platform server, attackers downloaded and installed the PhantomJitter backdoor... The backdoor was downloaded into the victims’ infrastructure from the following URLs...

INDICATORS OF COMPROMISE

IOCs tracked for this family

11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app5 years ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
securelistNews
May 21, 2026
Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

A backdoor/loader delivered via the VBScript Intellpui.vbs, which executes obfuscated PowerShell to communicate with a C2 server and load the CobInt backdoor into memory.

Read more
the hacker newsNews
Feb 9, 2026
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Backdoor used by ExCobalt; associated activity includes credential theft from Telegram and Outlook Web Access via malicious code injection into the login page.

Read more
security online infoNews
Oct 21, 2024
Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Backdoor/loader used to execute obfuscated PowerShell and load additional malware into memory (fileless/in-memory execution), reducing on-disk artifacts.

Read more
the hacker newsNews
Oct 19, 2024
Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Backdoor used post-compromise to facilitate follow-on exploitation/remote control as part of the intrusion chain preceding ransomware deployment.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching11

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.