Graphshell

Malware updated 4 days ago (2024-11-29T14:43:55.373Z)
Download STIX
Preview STIX
GraphShell is a malicious software (malware) that has been used in cyber-attacks to exploit and damage computer systems. It was first reported in March 2023 by the cybersecurity firm Bad Magic, which documented its use in attacks targeting Russian-occupied territories of Ukraine. The malware, also known as DBoxShell or PowerMagic, is part of a modular framework called CommonMagic, and it can infiltrate systems through suspicious downloads, emails, or websites. Once inside a system, GraphShell has the capability to steal personal information, disrupt operations, or even hold data for ransom. The reconnaissance phase of GraphShell begins immediately after it is executed, allowing it to quickly start gathering information about the infected system. This makes it highly effective at achieving its destructive goals. In the fifth operation conducted by Bad Magic, they notably switched from using DBoxShell to GraphShell. This alternative malware is named for its use of the Microsoft Graph API, a tool used for building applications that access Microsoft cloud services. The use of GraphShell marks a significant evolution in the tactics of the Bad Magic group. By exploiting the Microsoft Graph API, this malware can leverage Microsoft's cloud services for command and control (C&C) purposes. This allows the attackers to remotely control infected systems, further increasing the potential harm they can cause. As such, the emergence of GraphShell represents a significant escalation in the cyber threat landscape.
Description last updated: 2023-10-10T20:16:38.163Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Dboxshell is a possible alias for Graphshell. DboxShell is a type of malware that uses cloud storage services as a command and control (C&C) mechanism. It is also known as PowerMagic by Kaspersky. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can dis
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Graphshell Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more