Skip to main content
Mallory
Back to threat actors
8 malware families

ExCobalt

Also known asExCobalt

ExCobalt is a threat actor cited as conducting campaigns against Russian organizations. Reported initial access methods include leveraging known security vulnerabilities and using credentials stolen from contractors. Post-compromise activity includes credential theft targeting Telegram (credentials and message history) and Outlook Web Access (via malicious code injection into the login page). Tooling associated with ExCobalt includes the CobInt backdoor, use of lockers such as Babuk and LockBit, and a kernel-mode rootkit family described as PUMAKIT (used for privilege escalation, hiding files/directories, and self-concealment), with prior iterations named Facefish (Feb 2021), Kitsune (Feb 2022), and Megatsune (Nov 2023). ExCobalt is also associated with a Rust-based Linux privilege-escalation toolkit called Octopus. Positive Technologies characterized ExCobalt as one of the “most dangerous groups” attacking Russian entities and noted a shift from exploiting 1-day vulnerabilities in internet-exposed services (e.g., Microsoft Exchange) toward reaching primary targets via contractors.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078×3
Valid Accounts
T1189
Drive-by Compromise
T1190×2
Exploit Public-Facing Application
TA0003
Persistence
1 technique
T1078×3
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×3
Valid Accounts
TA0005
Stealth
3 techniques
T1014
Rootkit
T1078×3
Valid Accounts
T1564
Hide Artifacts
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.003
Web Portal Capture
TA0009
Collection
1 technique
T1056
Input Capture
T1056.003
Web Portal Capture
ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BabukLockers such as Babuk and LockBit.1Mar 8, 2026
CobInt...attempts to siphon Telegram credentials... and Outlook Web Access credentials... - CobInt, a known backdoor used by the group.1Mar 8, 2026
Facefish...prior iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023).1Mar 8, 2026
Kitsune...prior iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023). The use of Kitsune was also linked to a threat cluster known as Sneaky Wolf...1Mar 8, 2026
LockBitLockers such as Babuk and LockBit.1Mar 8, 2026

3 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
scworldNews
Feb 10, 2026
Bloody Wolf targets Uzbekistan and Russia with NetSupport RAT | SC Media

Campaigns targeting Russian organizations using exploitation of known vulnerabilities and use of stolen credentials.

Read more
the hacker newsNews
Feb 9, 2026
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Targets Russian organizations; gains initial access by exploiting known vulnerabilities and using contractor-stolen credentials; conducts credential theft (Telegram/OWA) and uses a mix of backdoors, rootkits, and ransomware lockers.

Read more
the hacker newsNews
Feb 9, 2026
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Targets Russian organizations; gains initial access via exploitation of known vulnerabilities and use of contractor-stolen credentials; conducts credential theft (Telegram and OWA) and uses a mix of backdoors, rootkits, and ransomware lockers.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.