Bad Magic

Malware updated 5 months ago (2024-05-04T19:02:01.208Z)
Download STIX
Preview STIX
Bad Magic, a malicious software (malware), was first reported by Kaspersky in March 2023. The malware is associated with a hacker group known as 'Bad Magic' or 'Red Stinger', which targets companies involved in the Russo-Ukrainian conflict. The group's modus operandi involves the use of a backdoor called PowerMagic and a modular framework named CommonMagic to infiltrate systems. Notably, Bad Magic's activities have been linked to an activity cluster that first emerged in May 2016, suggesting that the group has been operational for much longer than previously thought. The CloudWizard Advanced Persistent Threat (APT) has also been attributed to the Bad Magic group. This newly discovered modular malware framework has been active since 2016, according to a report published on May 19, 2023. In October of the previous year, infections were identified in government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea. Kaspersky's deeper insights into the Bad Magic story revealed various artifacts associated with the CloudWizard framework from 2017 to 2020. In addition to PowerMagic and CommonMagic, Bad Magic uses Graphican, an updated version of the group's Ketrican backdoor. It exploits Microsoft Graph API and OneDrive to secure command-and-control server details. These tools have also been used by other APT groups, including APT28. Despite the sophistication of these attacks, no connections have been found between the malware used by Bad Magic and any other known hacking tools, indicating the unique nature of this threat.
Description last updated: 2024-05-04T16:46:50.837Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Red Stinger is a possible alias for Bad Magic. Red Stinger, also known as Bad Magic, is a previously undetected Advanced Persistent Threat (APT) group that has been linked to cyber-espionage activities targeting Eastern Europe since 2020. The group's operations have primarily focused on both pro-Ukraine and pro-Russia victims in central and east
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malwarebytes
Kaspersky
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Bad Magic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
a year ago
Securityaffairs
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago