{ "id": "65891189-3e25-4255-bb30-87372310e51c", "created_at": "2026-04-06T00:18:42.942579Z", "updated_at": "2026-04-10T03:29:06.896433Z", "deleted_at": null, "sha1_hash": "39bdd3cb214d7de4220b85748ca28cc13879002a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46465, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:02:49 UTC\nHome \u003e List all groups \u003e CloudSorcerer\n APT group: CloudSorcerer\nNames CloudSorcerer (Kaspersky)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2024\nDescription\n(Kaspersky) In May 2024, we discovered a new advanced persistent threat (APT)\ntargeting Russian government entities that we dubbed CloudSorcerer. It’s a\nsophisticated cyberespionage tool used for stealth monitoring, data collection, and\nexfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure.\nThe malware leverages cloud resources as its command and control (C2) servers,\naccessing them through APIs using authentication tokens. Additionally,\nCloudSorcerer uses GitHub as its initial C2 server.\nCloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT (Bad\nMagic, RedStinger) that we reported on in 2023. However, the malware code is\ncompletely different. We presume that CloudSorcerer is a new actor that has adopted\na similar method of interacting with public cloud services.\nObserved\nSectors: Government.\nCountries: Russia.\nTools used GrewApacha, PlugY, The CloudSorcerer.\nOperations performed Jul 2024\nOperation “EastWind”\nEastWind campaign: new CloudSorcerer attacks on government\norganizations in Russia\nInformation Last change to this card: 27 August 2024\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7" ], "report_names": [ "showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7" ], "threat_actors": [ { "id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9", "created_at": "2023-06-23T02:04:34.088425Z", "updated_at": "2026-04-10T02:00:04.573175Z", "deleted_at": null, "main_name": "Bad Magic", "aliases": [ "Bad Magic", "CloudWizard", "RedStinger" ], "source_name": "ETDA:Bad Magic", "tools": [ "CommonMagic", "PowerMagic" ], "source_id": "ETDA", "reports": null }, { "id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61", "created_at": "2023-11-07T02:00:07.086058Z", "updated_at": "2026-04-10T02:00:03.403516Z", "deleted_at": null, "main_name": "RedStinger", "aliases": [ "Bad Magic" ], "source_name": "MISPGALAXY:RedStinger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d1a4f32-cc52-4ee8-acab-993cfa2ef5ad", "created_at": "2024-07-09T02:00:04.425917Z", "updated_at": "2026-04-10T02:00:03.67013Z", "deleted_at": null, "main_name": "CloudSorcerer", "aliases": [], "source_name": "MISPGALAXY:CloudSorcerer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b1db2dce-5a2b-4fc4-85c2-d184acc956a0", "created_at": "2024-08-28T02:02:09.272572Z", "updated_at": "2026-04-10T02:00:04.622449Z", "deleted_at": null, "main_name": "CloudSorcerer", "aliases": [ "Operation EastWind" ], "source_name": "ETDA:CloudSorcerer", "tools": [ "GrewApacha", "PlugY", "The CloudSorcerer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434722, "ts_updated_at": 1775791746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39bdd3cb214d7de4220b85748ca28cc13879002a.pdf", "text": "https://archive.orkl.eu/39bdd3cb214d7de4220b85748ca28cc13879002a.txt", "img": "https://archive.orkl.eu/39bdd3cb214d7de4220b85748ca28cc13879002a.jpg" } }