Cloudwizard

Malware Profile Updated 19 days ago

Download STIX

Preview STIX

CloudWizard is a sophisticated malware discovered in May 2023, allegedly developed by an unidentified threat actor based in Ukraine. This malicious software has been linked to a broader set of cyber-attacks across the country, marking an evolution from its predecessors by exploiting well-known cloud services such as Google Drive, Microsoft OneDrive, and Dropbox for its command and control (C2) servers. The CloudWizard Advanced Persistent Threat (APT) campaign has played a significant role in the Russo-Ukrainian conflict area, indicating its potential use in cyber warfare. Upon analysis, it was found that CloudWizard shares multiple similarities with other malwares used in previous campaigns, namely CommonMagic and Prikormka, which were part of Operation Groundbait. These similarities include similar victim ID formats and file naming conventions for data uploaded to the C2 server. However, despite these resemblances, there are significant differences in code and functionality between CloudWizard and these earlier malwares, suggesting that CloudWizard might have been developed by a new actor possibly inspired by previous techniques but developing its own unique tools. Additionally, another malware framework known as CloudSorcerer, bearing resemblance to the CloudWizard APT, was reported. Despite the similarities in their modus operandi, the substantial differences in code and functionality suggest that CloudSorcerer is likely a separate entity, potentially influenced by previous techniques but creating its own distinctive tools. This ongoing development and evolution of malware underscores the need for continuous vigilance and updated cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Commonmagic	4	CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and
Prikormka	2	Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d
Bad Magic	1	Bad Magic, a malicious software (malware), was first reported by Kaspersky in March 2023. The malware is associated with a hacker group known as 'Bad Magic' or 'Red Stinger', which targets companies involved in the Russo-Ukrainian conflict. The group's modus operandi involves the use of a backdoor c

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Kaspersky

Encryption

Cloud Services

Skype

Loader

Ukraine

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Hwo7x8p	Unspecified	1	None
BlackEnergy	Unspecified	1	BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Cloudsorcerer	Unspecified	3	None
Gamaredon	Unspecified	1	Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Cloudwizard Md5	Unspecified	1	None

Source Document References

Information about the Cloudwizard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	18 days ago	'CloudSorcerer' Leverages Cloud Services in Cyber-Espionage Campaign
InfoSecurity-magazine	19 days ago	New APT CloudSorcerer Malware Hits Russian Targets
Securelist	19 days ago	CloudSorcerer APT uses cloud services and GitHub as C2
CERT-EU	6 months ago	Battling the Exploitation of Cloud Services in Global Conflicts
CERT-EU	8 months ago	Advanced threat predictions for 2024 – GIXtools
Securelist	8 months ago	Kaspersky Security Bulletin: APT predictions 2024
Securelist	a year ago	Operation Triangulation: iOS devices targeted with previously unknown malware
CERT-EU	a year ago	APT trends report Q1 2023
CERT-EU	a year ago	APT trends report Q1 2023 - GIXtools
CERT-EU	a year ago	Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU	a year ago	CloudWizard APT: the bad magic story goes on - GIXtools
InfoSecurity-magazine	a year ago	CommonMagic Malware Implants Linked to New CloudWizard Framework
DARKReading	a year ago	CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine