Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 19:02:49 UTC
Home > List all groups > CloudSorcerer
 APT group: CloudSorcerer
Names CloudSorcerer (Kaspersky)
Country [Unknown]
Motivation Information theft and espionage
First seen 2024
Description
(Kaspersky) In May 2024, we discovered a new advanced persistent threat (APT)
targeting Russian government entities that we dubbed CloudSorcerer. It’s a
sophisticated cyberespionage tool used for stealth monitoring, data collection, and
exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure.
The malware leverages cloud resources as its command and control (C2) servers,
accessing them through APIs using authentication tokens. Additionally,
CloudSorcerer uses GitHub as its initial C2 server.
CloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT (Bad
Magic, RedStinger) that we reported on in 2023. However, the malware code is
completely different. We presume that CloudSorcerer is a new actor that has adopted
a similar method of interacting with public cloud services.
Observed
Sectors: Government.
Countries: Russia.
Tools used GrewApacha, PlugY, The CloudSorcerer.
Operations performed Jul 2024
Operation “EastWind”
EastWind campaign: new CloudSorcerer attacks on government
organizations in Russia
Information Last change to this card: 27 August 2024
Download this actor card in PDF or JSON format
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7
Page 2 of 2