Excobalt

ExCobalt, a cybercrime group, has been identified as a significant threat actor targeting multiple sectors within Russian organizations. This group is known for its malicious activities, which involve executing actions with harmful intent. The cybersecurity industry has monitored ExCobalt's activities closely due to the group's increasingly sophisticated methods of hacking and cyberespionage. They have demonstrated an aptitude for adopting more productive techniques, including expanded functionality for collecting victim data and increasing secrecy both inside the infected system and in communications with C2 servers. The group continues to demonstrate high levels of activity and determination in their attacks on Russian companies. ExCobalt is continually adding new tools to its arsenal and improving its techniques, indicating a high level of sophistication and adaptability. Their relentless pursuit of evolving methodologies and technologies underscores their commitment to their malicious objectives, making them a formidable threat to cybersecurity. In their recent attacks, ExCobalt utilized the Spark RAT (Remote Access Trojan) to execute commands, forming part of a multi-tool attack chain. This included the use of various tools such as Mimikatz, ProcDump, SMBExec, Metasploit, and rsocx. Each of these tools plays a unique role in the attack chain, from capturing credentials and dumping process memory to exploiting vulnerabilities and providing remote control capabilities. These aggressive tactics underline the serious threat that ExCobalt poses to targeted organizations and the broader cybersecurity landscape.