Cloudwizard

Malware updated 23 days ago (2024-11-29T13:32:35.613Z)
Download STIX
Preview STIX
CloudWizard is a potent malware that has been implicated in advanced persistent threat (APT) campaigns, specifically those related to the Russo-Ukrainian conflict. It was first reported by Kaspersky in 2023 and is known for its features like taking screenshots, microphone recording, keylogging, among others. This malware is particularly notable for its use of cloud services for command and control (C2), a tactic that allows it to effectively hide and operate. Furthermore, CloudWizard shares multiple similarities with the malware used in the Operation Groundbait campaign, particularly with the Prikormka malware, and CommonMagic. However, recent developments have uncovered a new APT actor dubbed "CloudSorcerer" by Kaspersky, which has been targeting Russian government entities. Like CloudWizard, CloudSorcerer heavily leverages public cloud services for C2 and other purposes. Despite these operational similarities, significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools. In conclusion, while there are evident parallels between CloudWizard and CloudSorcerer in terms of tactics and targets, Kaspersky's analysis indicates that they are distinct actors in the cyber-espionage landscape. Both groups demonstrate the growing trend of APT actors utilizing cloud services for their operations, highlighting the need for enhanced security measures in the cloud computing sphere.
Description last updated: 2024-10-14T12:15:30.846Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Commonmagic is a possible alias for Cloudwizard. CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and
4
Prikormka is a possible alias for Cloudwizard. Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Kaspersky
Encryption
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cloudsorcerer Threat Actor is associated with Cloudwizard. CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early Unspecified
3
Source Document References
Information about the Cloudwizard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
21 days ago
Securelist
2 months ago
Securelist
4 months ago
Securelist
5 months ago
DARKReading
5 months ago
InfoSecurity-magazine
5 months ago
Securelist
5 months ago
CERT-EU
a year ago
CERT-EU
a year ago
Securelist
a year ago
Securelist
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago
DARKReading
2 years ago