Graphshell

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
GraphShell is a malicious software (malware) that has been used in cyber-attacks to exploit and damage computer systems. It was first reported in March 2023 by the cybersecurity firm Bad Magic, which documented its use in attacks targeting Russian-occupied territories of Ukraine. The malware, also known as DBoxShell or PowerMagic, is part of a modular framework called CommonMagic, and it can infiltrate systems through suspicious downloads, emails, or websites. Once inside a system, GraphShell has the capability to steal personal information, disrupt operations, or even hold data for ransom. The reconnaissance phase of GraphShell begins immediately after it is executed, allowing it to quickly start gathering information about the infected system. This makes it highly effective at achieving its destructive goals. In the fifth operation conducted by Bad Magic, they notably switched from using DBoxShell to GraphShell. This alternative malware is named for its use of the Microsoft Graph API, a tool used for building applications that access Microsoft cloud services. The use of GraphShell marks a significant evolution in the tactics of the Bad Magic group. By exploiting the Microsoft Graph API, this malware can leverage Microsoft's cloud services for command and control (C&C) purposes. This allows the attackers to remotely control infected systems, further increasing the potential harm they can cause. As such, the emergence of GraphShell represents a significant escalation in the cyber threat landscape.
What's your take? (Question 1 of 0)
b4054357-90f0-4c78-b3e6-f69ffbb59d39 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dboxshell
2
DboxShell is a type of malware that uses cloud storage services as a command and control (C&C) mechanism. It is also known as PowerMagic by Kaspersky. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can dis
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Graphshell Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Malwarebytes
a year ago
Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020
CERT-EU
a year ago
New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe
CERT-EU
a year ago
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU
a year ago
A Decade of ‘Bad Magic’ In Cyber Espionage