Powermagic

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
PowerMagic is a sophisticated malware, also known as DBoxShell, that has been linked to a series of advanced persistent threat (APT) activities. This malicious software was identified by Kaspersky researchers who traced its connections to previous APT activities such as Operation Groundbait, the Prikormka malware (2008-2016), Operation BugDrop (2017), PowerMagic (2020-2022), and CommonMagic (2022). The malware is capable of setting itself up in the system to be persistently launched on startup of the infected device, receiving commands from a remote folder located on public cloud storage, executing these commands, and uploading the results back to the cloud. In March 2023, an unknown APT campaign involving the use of PowerMagic and CommonMagic implants was uncovered in the Russo-Ukrainian conflict region. These attacks were associated with a hacker group named 'Bad Magic', which targeted companies involved in the Russia-Ukrainian conflict. The group executed attacks using a PowerShell-based backdoor called PowerMagic and a new malicious framework named CommonMagic. PowerMagic likely served as a backdoor to deliver the modular CommonMagic framework. Agriculture, administrative, and transportation organizations across Ukrainian regions including Donetsk, Crimea, and Lugansk experienced a sophisticated ongoing attack campaign involving the novel CommonMagic framework and PowerMagic backdoor, as reported in March 2023. The infection began with a decoy document and a malicious LNK file with a double extension used to deploy the PowerMagic backdoor. Subsequent investigations revealed that PowerMagic also deploys a modular framework named CommonMagic, indicating a cluster of more sophisticated malicious activities originating from the same threat actor.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Commonmagic
4
CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and
Dboxshell
2
DboxShell is a type of malware that uses cloud storage services as a command and control (C&C) mechanism. It is also known as PowerMagic by Kaspersky. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can dis
Graphshell
1
GraphShell is a malicious software (malware) that has been used in cyber-attacks to exploit and damage computer systems. It was first reported in March 2023 by the cybersecurity firm Bad Magic, which documented its use in attacks targeting Russian-occupied territories of Ukraine. The malware, also k
Bad Magic
1
Bad Magic, a malicious software (malware), was first reported by Kaspersky in March 2023. The malware is associated with a hacker group known as 'Bad Magic' or 'Red Stinger', which targets companies involved in the Russo-Ukrainian conflict. The group's modus operandi involves the use of a backdoor c
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Decoy
Kaspersky
Espionage
Apt
Encryption
Implant
Phishing
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PrikormkaUnspecified
1
Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Powermagic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
a year ago
CommonMagic Targets Entities in Russo-Ukrainian Conflict Zone
CERT-EU
a year ago
CloudWizard APT: the bad magic story goes on - GIXtools
Malwarebytes
a year ago
Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020
CERT-EU
a year ago
Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU
a year ago
A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU
a year ago
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU
a year ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe
CERT-EU
a year ago
Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized ​​TP-Link Firmware, RA Group Ransomware Copied Babuk
DARKReading
a year ago
CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine
CERT-EU
a year ago
IT threat evolution Q2 2023
Securityaffairs
a year ago
New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict
CERT-EU
a year ago
Unknown actors target orgs in Russia-occupied Ukraine
CERT-EU
a year ago
Ukraine targeted by novel malware attacks