1. ExCobalt includes former Cobalt Gang members, active since at least 2016.

2. Cobalt Gang attacked financial institutions and used CobInt, adopted by ExCobalt.

3. ExCobalt targets Russian sectors: government, IT, metallurgy, mining, software, telecommunications.

4. Initial access via compromised contractors and supply chain attacks on software.

5. ExCobalt uses Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT, Linux exploits.