{
	"id": "41b31d7c-b251-4dbf-ace4-abfbd1f6774e",
	"created_at": "2026-04-06T00:21:39.499685Z",
	"updated_at": "2026-04-10T03:35:12.357268Z",
	"deleted_at": null,
	"sha1_hash": "2084eaeeffe663b1c01177c9e0906d8e7f651002",
	"title": "CobInt (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28373,
	"plain_text": "CobInt (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:13:10 UTC\r\nCobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial\r\nintelligence information about the compromised machine and stream video from its desktop. If the operator\r\ndecides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's\r\nCRM mailslot module was also observed being downloaded by ISFB.\r\n[TLP:WHITE] win_cobint_auto (20251219 | Detects win.cobint.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobint\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
	],
	"report_names": [
		"win.cobint"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51",
			"created_at": "2022-10-25T16:07:23.474746Z",
			"updated_at": "2026-04-10T02:00:04.623746Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"ATK 67",
				"Cobalt Gang",
				"Cobalt Spider",
				"G0080",
				"Gold Kingswood",
				"Mule Libra",
				"TAG-CR3"
			],
			"source_name": "ETDA:Cobalt Group",
			"tools": [
				"ATMRipper",
				"ATMSpitter",
				"Agentemis",
				"AmmyyRAT",
				"AtNow",
				"COOLPANTS",
				"CobInt",
				"Cobalt Strike",
				"CobaltStrike",
				"Cyst Downloader",
				"Fareit",
				"FlawedAmmyy",
				"Formbook",
				"Little Pig",
				"Metasploit Stager",
				"Mimikatz",
				"More_eggs",
				"NSIS",
				"Nullsoft Scriptable Install System",
				"Pony Loader",
				"Ripper ATM",
				"SDelete",
				"Siplog",
				"SoftPerfect Network Scanner",
				"SpicyOmelette",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Terra Loader",
				"ThreatKit",
				"VenomKit",
				"cobeacon",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242",
			"created_at": "2022-10-25T15:50:23.744036Z",
			"updated_at": "2026-04-10T02:00:05.294413Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"Cobalt Group",
				"GOLD KINGSWOOD",
				"Cobalt Gang",
				"Cobalt Spider"
			],
			"source_name": "MITRE:Cobalt Group",
			"tools": [
				"Mimikatz",
				"More_eggs",
				"SpicyOmelette",
				"SDelete",
				"Cobalt Strike",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434899,
	"ts_updated_at": 1775792112,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2084eaeeffe663b1c01177c9e0906d8e7f651002.pdf",
		"text": "https://archive.orkl.eu/2084eaeeffe663b1c01177c9e0906d8e7f651002.txt",
		"img": "https://archive.orkl.eu/2084eaeeffe663b1c01177c9e0906d8e7f651002.jpg"
	}
}