Bad Magic

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Bad Magic, a malicious software (malware), was first reported by Kaspersky in March 2023. The malware is associated with a hacker group known as 'Bad Magic' or 'Red Stinger', which targets companies involved in the Russo-Ukrainian conflict. The group's modus operandi involves the use of a backdoor called PowerMagic and a modular framework named CommonMagic to infiltrate systems. Notably, Bad Magic's activities have been linked to an activity cluster that first emerged in May 2016, suggesting that the group has been operational for much longer than previously thought. The CloudWizard Advanced Persistent Threat (APT) has also been attributed to the Bad Magic group. This newly discovered modular malware framework has been active since 2016, according to a report published on May 19, 2023. In October of the previous year, infections were identified in government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea. Kaspersky's deeper insights into the Bad Magic story revealed various artifacts associated with the CloudWizard framework from 2017 to 2020. In addition to PowerMagic and CommonMagic, Bad Magic uses Graphican, an updated version of the group's Ketrican backdoor. It exploits Microsoft Graph API and OneDrive to secure command-and-control server details. These tools have also been used by other APT groups, including APT28. Despite the sophistication of these attacks, no connections have been found between the malware used by Bad Magic and any other known hacking tools, indicating the unique nature of this threat.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Red Stinger
3
Red Stinger, also known as Bad Magic, is a previously undetected Advanced Persistent Threat (APT) group that has been linked to cyber-espionage activities targeting Eastern Europe since 2020. The group's operations have primarily focused on both pro-Ukraine and pro-Russia victims in central and east
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malwarebytes
Kaspersky
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bad Magic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Novel Graphican backdoor leveraged in Chinese APT attacks against foreign ministries
CERT-EU
a year ago
Newly identified APT group's motives in Ukraine baffle researchers
CERT-EU
a year ago
Enigmatic Hacking Group Operating in Ukraine | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
Securityaffairs
a year ago
New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict
CERT-EU
a year ago
New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe
Checkpoint
a year ago
15th May – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU
a year ago
A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
10 months ago
A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU
a year ago
Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized ​​TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU
a year ago
Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor
CERT-EU
9 months ago
IT threat evolution in Q2 2023 – GIXtools
BankInfoSecurity
a year ago
Enigmatic Hacking Group Operating in Ukraine