Cloudwizard

Malware updated 23 days ago (2024-11-29T13:32:35.613Z)

Download STIX

Preview STIX

CloudWizard is a potent malware that has been implicated in advanced persistent threat (APT) campaigns, specifically those related to the Russo-Ukrainian conflict. It was first reported by Kaspersky in 2023 and is known for its features like taking screenshots, microphone recording, keylogging, among others. This malware is particularly notable for its use of cloud services for command and control (C2), a tactic that allows it to effectively hide and operate. Furthermore, CloudWizard shares multiple similarities with the malware used in the Operation Groundbait campaign, particularly with the Prikormka malware, and CommonMagic. However, recent developments have uncovered a new APT actor dubbed "CloudSorcerer" by Kaspersky, which has been targeting Russian government entities. Like CloudWizard, CloudSorcerer heavily leverages public cloud services for C2 and other purposes. Despite these operational similarities, significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools. In conclusion, while there are evident parallels between CloudWizard and CloudSorcerer in terms of tactics and targets, Kaspersky's analysis indicates that they are distinct actors in the cyber-espionage landscape. Both groups demonstrate the growing trend of APT actors utilizing cloud services for their operations, highlighting the need for enhanced security measures in the cloud computing sphere.

Description last updated: 2024-10-14T12:15:30.846Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Commonmagic is a possible alias for Cloudwizard. CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and	4
Prikormka is a possible alias for Cloudwizard. Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Kaspersky

Encryption

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Cloudsorcerer Threat Actor is associated with Cloudwizard. CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early	Unspecified	3

Source Document References

Information about the Cloudwizard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	21 days ago	Malware report for Q3 2024: threat overview
Securelist	2 months ago	Cyberthreats in the Middle East H1 2024
Securelist	4 months ago	Kaspersky report on APT trends in Q2 2024
Securelist	5 months ago	LianSpy: Android spyware leveraging Yandex Disk as C2
DARKReading	5 months ago	'CloudSorcerer' Leverages Cloud Services in Cyber-Espionage Campaign
InfoSecurity-magazine	5 months ago	New APT CloudSorcerer Malware Hits Russian Targets
Securelist	5 months ago	CloudSorcerer APT uses cloud services and GitHub as C2
CERT-EU	a year ago	Battling the Exploitation of Cloud Services in Global Conflicts
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
Securelist	2 years ago	Operation Triangulation: iOS devices targeted with previously unknown malware
CERT-EU	2 years ago	APT trends report Q1 2023
CERT-EU	2 years ago	APT trends report Q1 2023 - GIXtools
CERT-EU	2 years ago	Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	2 years ago	Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU	2 years ago	CloudWizard APT: the bad magic story goes on - GIXtools
InfoSecurity-magazine	2 years ago	CommonMagic Malware Implants Linked to New CloudWizard Framework
DARKReading	2 years ago	CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine