ExCobalt Cyber Group Unleashes GoRed Backdoor on Russian Sectors
  • By Shiva
  • Last updated: June 24, 2024

ExCobalt Cyber Group Unleashes GoRed Backdoor on Russian Sectors

ExCobalt Cyber Group Strikes Russian Sectors with Advanced GoRed Backdoor

A cybercrime group known as ExCobalt has been targeting Russian organizations using a newly discovered Golang-based backdoor called GoRed. This sophisticated attack underscores the ongoing threat posed by highly skilled cybercriminals.

Background and Evolution of ExCobalt

According to a technical report by Positive Technologies researchers Vladislav Lunin and Alexander Badayev, ExCobalt is focused on cyber espionage and comprises members who have been active since at least 2016. These individuals are presumed to have previously been part of the notorious Cobalt Gang. Historically, Cobalt Gang was infamous for attacking financial institutions to steal funds, primarily using the CobInt tool, which ExCobalt adopted in 2022.

Targeted Sectors and Attack Strategies

Over the past year, ExCobalt has mounted attacks on a wide range of sectors in Russia. These include government agencies, information technology firms, metallurgy and mining companies, software development organizations, and telecommunications providers. The group’s initial access to these environments is often facilitated through previously compromised contractors and sophisticated supply chain attacks. This method involves infecting a component used in building the target company’s legitimate software, highlighting the group’s high level of sophistication.

Technical Details and Tools Used

ExCobalt employs a variety of tools to carry out its operations. These include:

  • Metasploit for exploiting vulnerabilities
  • Mimikatz for credential harvesting
  • ProcDump for process dumping
  • SMBExec for remote command execution
  • Spark RAT for remote access
  • Linux privilege escalation exploits such as CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586

GoRed Backdoor Capabilities

The GoRed backdoor, which has undergone multiple iterations since its inception, is a comprehensive tool that allows ExCobalt operators to execute a variety of commands on infected hosts. It can:

  • Obtain credentials
  • Harvest details of active processes, network interfaces, and file systems
  • Communicate with its command-and-control (C2) server using the Remote Procedure Call (RPC) protocol
  • Support background commands to monitor files and passwords
  • Enable reverse shell access
  • The collected data is then exported to infrastructure controlled by the attackers, facilitating further exploitation and data exfiltration.


ExCobalt Group Unleashes GoRed Backdoor on Russian Sectors

ExCobalt’s Adaptability and Persistence

The researchers highlight ExCobalt’s high level of activity and determination in targeting Russian companies. The group continually updates its arsenal with new tools and improves its techniques. Additionally, ExCobalt demonstrates significant flexibility and versatility by supplementing its toolset with modified standard utilities. This adaptability allows the group to bypass security controls effectively and adjust to changes in protection methods.


ExCobalt’s relentless attacks on various Russian sectors using the advanced GoRed backdoor highlight the ongoing and evolving threat posed by cyber espionage groups. Organizations in targeted sectors must remain vigilant and employ robust cybersecurity measures to protect against such sophisticated threats.