Bad Magic, a malicious software (malware), was first reported by Kaspersky in March 2023. The malware is associated with a hacker group known as 'Bad Magic' or 'Red Stinger', which targets companies involved in the Russo-Ukrainian conflict. The group's modus operandi involves the use of a backdoor called PowerMagic and a modular framework named CommonMagic to infiltrate systems. Notably, Bad Magic's activities have been linked to an activity cluster that first emerged in May 2016, suggesting that the group has been operational for much longer than previously thought.
The CloudWizard Advanced Persistent Threat (APT) has also been attributed to the Bad Magic group. This newly discovered modular malware framework has been active since 2016, according to a report published on May 19, 2023. In October of the previous year, infections were identified in government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea. Kaspersky's deeper insights into the Bad Magic story revealed various artifacts associated with the CloudWizard framework from 2017 to 2020.
In addition to PowerMagic and CommonMagic, Bad Magic uses Graphican, an updated version of the group's Ketrican backdoor. It exploits Microsoft Graph API and OneDrive to secure command-and-control server details. These tools have also been used by other APT groups, including APT28. Despite the sophistication of these attacks, no connections have been found between the malware used by Bad Magic and any other known hacking tools, indicating the unique nature of this threat.
Description last updated: 2024-05-04T16:46:50.837Z