Merge pull request #1053 from jashdalvi/threat-actors/add-excobalt

[threat-actors] add ExCobalt
MISP · Feb 10, 2025 · be37f98 · be37f98
2 parents 0c50e7f + 8803740
commit be37f98
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
 
 [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
 
-Category: *actor* - source: *MISP Project* - total: *799* elements
+Category: *actor* - source: *MISP Project* - total: *800* elements
 
 [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
 

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
@@ -17716,6 +17716,16 @@
       },
       "uuid": "3ef31ccd-60a9-4abc-a1a3-713ce625cbb7",
       "value": "Belsen Group"
+    },
+    {
+      "description": "ExCobalt is an APT group that has been active since at least 2016 and is believed to be linked to the notorious Cobalt Gang. The group primarily targets Russian organizations across sectors—including metallurgy, telecommunications, mining, information technology, government, and software development by exploiting supply chain weaknesses and compromised contractors for initial access. ExCobalt’s toolkit features a custom Golang‑based backdoor, GoRed, which enables remote command execution, credential harvesting, and detailed system reconnaissance, while the group also employs established tools such as Spark RAT, Mimikatz, and multiple Linux privilege escalation exploits. Researchers note that ExCobalt continually evolves its tactics and even modifies standard utilities to bypass security controls and maintain persistent access, underscoring its commitment to sophisticated cyberespionage and data theft operations.",
+      "meta": {
+        "refs": [
+          "https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique"
+        ]
+      },
+      "uuid": "12c9522e-41d7-442b-ae0e-134249732fbb",
+      "value": "ExCobalt"
     }
   ],
   "version": 322