Obstinate Mogwai
Obstinate Mogwai is a threat actor identified in Rostelecom security team reporting as one of at least three APT groups present on the network of a Russian organization, alongside Erudite Mogwai (Space Pirates) and GOFFEE. In the cited investigation, multiple malware families were found co-resident on a Microsoft Exchange server that had been compromised in summer 2024 via the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). The content directly attributes the Donnect malware family to Obstinate Mogwai, and notes that a new sample was deployed during the period of presumed Obstinate Mogwai activity. No additional aliases beyond “obstinate_mogwai” / “Obstinate Mogwai” are provided in the content. The available content does not directly state the actor’s country of origin, specific targets beyond presence in a Russian organization investigation, or broader TTPs beyond the association with Donnect and activity on the compromised Exchange infrastructure.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- government
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Associated vulnerabilities
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...источником их заражения оказался почтовый сервер Exchange, который оказался скомпрометированным еще летом 2024 года с помощью эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named APT cluster reported present on a Russian organization’s network (per Rostelecom security team reporting).
Связана с обнаружением Donnect; в период предполагаемой активности на Exchange/в инфраструктуре размещен новый модульный бэкдор ShadowRelay, но атрибуция ShadowRelay этой группе не подтверждена.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.