{ "id": "52764ead-11c3-488b-9f3b-5386b1582faf", "created_at": "2026-04-06T00:10:10.540121Z", "updated_at": "2026-04-10T13:11:31.744316Z", "deleted_at": null, "sha1_hash": "cbd7e2979140ce092001446e8d53e287550753a1", "title": "CloudWizard APT: the bad magic story goes on", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1957298, "plain_text": "CloudWizard APT: the bad magic story goes on\r\nBy Leonid Bezvershenko\r\nPublished: 2023-05-19 · Archived: 2026-04-05 15:32:00 UTC\r\nIn March 2023, we uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict\r\nthat involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which\r\nthreat actor was behind the attack. Since the release of our report about CommonMagic, we have been looking for\r\nadditional clues that would allow us to learn more about this actor. As we expected, we have been able to gain a\r\ndeeper insight into the “bad magic” story.\r\nWhile looking for implants bearing similarities with PowerMagic and CommonMagic, we identified a cluster of\r\neven more sophisticated malicious activities originating from the same threat actor. What was most interesting\r\nabout it is that its victims were located not only in the Donetsk, Lugansk and Crimea regions, but also in central\r\nand western Ukraine. Targets included individuals, as well as diplomatic and research organizations. The newly\r\ndiscovered campaign involved using a modular framework we dubbed CloudWizard. Its features include taking\r\nscreenshots, microphone recording, keylogging and more.\r\nOver the years, the infosec community has discovered multiple APTs operating in the Russo-Ukrainian conflict\r\nregion – Gamaredon, CloudAtlas, BlackEnergy and many others. Some of these APTs have long been forgotten in\r\nthe past – such as Prikormka (Operation Groundbait), discovered by ESET in 2016. While there have been no\r\nupdates about Prikormka or Operation Groundbait for a few years now, we discovered multiple similarities\r\nbetween the malware used in that campaign, CommonMagic and CloudWizard. Upon further investigation, we\r\nfound that CloudWizard has a rich and interesting history that we decided to dig into. Our findings we also shared\r\non the cybersecurity conference Positive Hack Days. You can watch our presentation here.\r\nInitial findings\r\nOur investigation started with telemetry data coming from an active infection, with malware running as a\r\nsuspicious Windows service named “syncobjsup”. This service was controlled by a DLL with an equally\r\nsuspicious path “C:\\ProgramData\\Apparition Storage\\syncobjsup.dll”. Upon execution, we found this DLL to\r\ndecrypt data from the file mods.lrc that is located in the same directory as the DLL. The cipher used for decryption\r\nwas RC5, with the key 88 6A 3F 24 D3 08 A3 85 E6 21 28 45 77 13 D0 38. However, decryption of the file with\r\nthe standard RC5 implementation yielded only junk data. A closer look into the RC5 implementation in the sample\r\nrevealed that it was faulty:\r\nfor (i = 0; i \u003c 4; i += 2)\r\n{\r\n    A = buf[i];\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 1 of 19\n\nB = buf[i + 1];\r\n    for (j = 12; j \u003e 0; --j)\r\n    {\r\n        v2 = rotate_right(B - S[2 * i + 1], A);\r\n        B = A ^ v2;\r\n        A ^= v2 ^ rotate_right(A - S[2 * i], A ^ v2);\r\n    }\r\n}\r\nThe bug is in the inner loop: it uses the variable i instead of j.\r\nA search for this incorrect implementation revealed a GitHub gist of the code that has been likely borrowed by the\r\nimplant’s developers. In the comments to this gist, GitHub users highlight the error:\r\nWhat is also interesting is that the key from the gist is the same as the one used in the syncobjsup.dll library.\r\nThe decrypted file looked to us like a virtual file system (VFS), containing multiple executables and their JSON-encoded configurations:\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 2 of 19\n\nEach entry in this VFS contains magic bytes (‘CiCi’), a ROR6 hash of the entry name, as well as the entry size\r\nand contents.\r\nInside mods.lrc, we found:\r\nThree DLLs (with export table names Main.dll, Crypton.dll and Internet.dll);\r\nA JSON configuration of these DLLs.\r\nThe syncobjsup.dll DLL iterates over VFS entries, looking for an entry with the name “Main” (ROR6 hash:\r\n0xAA23406F). This entry contains CloudWizard’s Main.dll orchestrator library, which is reflectively loaded and\r\nlaunched by invoking its SvcEntry export.\r\nDigging into the orchestrator\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 3 of 19\n\nUpon launching, the orchestrator spawns a suspended WmiPrvSE.exe process and injects itself into it. From the\r\nWmiPrvSE.exe process, it makes a backup of the VFS file, copying mods.lrc to mods.lrs. It then parses mods.lrs\r\nto obtain all the framework module DLLs and their configurations. As mentioned above, configurations are JSON\r\nfiles with dictionary objects:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n{\r\n    \"Screenshot\": {\r\n        \"type\": \"3\",\r\n        \"intervalSec\": \"4\",\r\n        \"numberPack\": \"24\",\r\n        \"winTitle\": [\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 4 of 19\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n            \"SKYPE\",\r\n            \"VIBER\"\r\n        ]\r\n    },\r\n    \"Keylogger\": {\r\n        \"bufSize\": \"100\"\r\n    },\r\n    \"Microphone\": {\r\n        \"intervalSec\": \"500\",\r\n        \"acousticStart\": \"1\"\r\n    }\r\n}\r\nThe orchestrator itself contains a configuration with parameters such as:\r\nVictim ID (e.g., 03072020DD);\r\nFramework version (latest observed version is 5.0);\r\nInterval between two consecutive heartbeats.\r\nAfter launching modules, the orchestrator starts communicating with the attackers by sending heartbeat messages.\r\nEach heartbeat is a JSON file with victim information and a list of loaded modules:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n{\r\n      \"name\": \"\u003cvictim_id\u003e\",\r\n\"romoID\": \"2\",\r\n\"bitOS\": \"64\",\r\n\"version\": \"5.0\",\r\n\"serial\": \"\u003cinfection_timestamp\u003e\",\r\n\"keyID\": \"\u003ckey_id\u003e\",\r\n\"ip\": \"0.0.0.0\",\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 5 of 19\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n\"state\": [\r\n\"Main\",\"Crypton\",\"Internet\",\"Screenshot\",\r\n\"USB\",\"Keylogger\",\"Gmail\"\r\n],\r\n\"state2\": [\r\n     {\"Module\": \"Main\",\"time_mode\": \"2\",\"Version\": \"4.7\"},\r\n     {\"Module\": \"Crypton\",\"time_mode\": \"2\",\"Version\": \"1.0\"},\r\n     {\"Module\": \"Internet\",\"time_mode\": \"2\",\"Version\": \"0.07\"},\r\n     {\"Module\": \"Screenshot\",\"time_mode\": \"2\",\"Version\": \"0.01\"},\r\n     {\"Module\": \"USB\",\"time_mode\": \"2\",\"Version\": \"0.01\"},\r\n     {\"Module\": \"Keylogger\",\"time_mode\": \"2\",\"Version\": \"0.01\"},\r\n     {\"Module\": \"Gmail\",\"time_mode\": \"2\",\"Version\": \"0.06\"}\r\n]\r\n}      \r\nThis JSON string is encrypted with the cryptography module (Crypton.dll from the VFS) and sent to the attackers\r\nwith the internet communication module (Internet.dll).\r\nIn response to the heartbeats, the orchestrator receives commands allowing it to perform module management:\r\ninstall, start, stop, delete modules or change their configurations. Each command contains magic bytes (DE AD\r\nBE EF) and a JSON string (e.g., {\"Delete\": [\"Keylogger\", \"Screenshot\"]} ), optionally followed by a module\r\nDLL file.\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 6 of 19\n\nEncryption and communication\r\nAs we have mentioned above, two modules (Crypton.dll and Internet.dll) are bundled with every installation of\r\nthe CloudWizard framework. The Crypton module performs encryption and decryption of all communications. It\r\nuses two encryption algorithms:\r\nHeartbeat messages and commands are encrypted with AES (the key is specified in the JSON configuration\r\nVFS file)\r\nOther data (e.g., module execution results) is encrypted with a combination of AES and RSA. First, the\r\ndata is encrypted with a generated pseudorandom AES session key, and then the AES key is encrypted with\r\nRSA.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nif ( buffers-\u003eresults.lenstr \u0026\u0026 buffers-\u003eresults.str ) {\r\nv10 = RSA_Encrypt(AES_KEY, 32, \u0026v8, \u0026v7, pubKey, pubKeySize);\r\nif (v10) {\r\n   free(v8);\r\n   return v10;\r\n}\r\nv10 = AES_Encrypt(buffers-\u003eresults.str,\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 7 of 19\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n                        buffers-\u003eresults.lenstr,\r\n                        \u0026v4, \u0026v6, AES_KEY);\r\nif (v10)\r\n   goto LABEL_11;\r\n}\r\nif (buffers-\u003estate.lenstr \u0026\u0026 buffers-\u003estate.str) {\r\n   v10 = AES_Encrypt(buffers-\u003estate.str,  \r\n                        buffers-\u003estate.lenstr,\r\n                        \u0026v3, \u0026v5, phpKey);\r\n   if (v10)\r\n     goto LABEL_11;\r\n}\r\nThe internet connection module relays the encrypted data to the malware operators. It supports four different\r\ncommunication types:\r\nCloud storages: OneDrive, Dropbox, Google Drive\r\nWeb-based C2 server\r\nThe primary cloud storage is OneDrive, while Dropbox and Google Drive are used if OneDrive becomes\r\ninaccessible. The module’s configuration includes OAuth tokens required for cloud storage authentication.\r\nAs for the web server endpoint, it is used when the module can’t access any of the three cloud storages. To interact\r\nwith it, it makes a GET request to the URL specified in its configuration, getting new commands in response.\r\nThese commands likely include new cloud storage tokens.\r\nWhile examining the strings of the network module, we found a string containing the directory name from the\r\ndeveloper’s machine: D:\\Projects\\Work_2020\\Soft_Version_5\\Refactoring.\r\nModule arsenal\r\nInformation gathering is performed through auxiliary DLL modules that have the following exported functions:\r\nExport\r\nfunction\r\nDescription\r\nStart Starts the module\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 8 of 19\n\nStop Stops the module\r\nWhoami\r\nReturns JSON-object with information about module\r\n(e.g., {\"Module\":\"Keylogger \",\"time_mode\":\"2\",\"Version\":\"0.01\"} ).\r\nThe time_mode value indicates whether the module is persistent (1 – no, 2 – yes).\r\nGetResult\r\nReturns results of module execution (e.g. collected screenshots, microphone recordings,\r\netc.). Most modules return results in the form of ZIP archives (that are stored in memory)\r\nGetSettings Returns module configuration\r\nModules can persist upon reboot (in this case they are saved in the mods.lrs VFS file) or executed in memory until\r\nthe machine is shut down or the module is deleted by the operator.\r\nIn total, we found nine auxiliary modules performing different malicious activities such as file gathering,\r\nkeylogging, taking screenshots, recording the microphone and stealing passwords.\r\nThe module that looked most interesting to us is the one that performs email exfiltration from Gmail accounts. In\r\norder to steal, it reads Gmail cookies from browser databases. Then, it uses the obtained cookies to access the\r\nGmail web interface in legacy mode by making a GET request to  https://mail.google.com/mail/u/\u003caccount ID\u003e/?\r\nui=html\u0026zy=h. When legacy mode is accessed for the first time, Gmail prompts the user to confirm whether they\r\nreally wants to switch to legacy mode, sending the following webpage in response:\r\nIf the module receives such a prompt, it simulates a click on the “I’d like to use HTML Gmail” button by making\r\na POST request to a URL from the prompt’s HTML code.\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 9 of 19\n\nHaving obtained access to the legacy web client, the module exfiltrates activity logs, the contact list and all the\r\nemail messages.\r\nWhat’s also interesting is that the code for this module was partially borrowed from the leaked Hacking Team\r\nsource code.\r\nBack to 2017\r\nAfter obtaining the CloudWizard’s orchestrator and its modules, we were still missing one part of the infection\r\nchain: the framework installer. While searching through older telemetry data, we were able to identify multiple\r\ninstallers that were used from 2017 to 2020. The version of the implant installed at that time was 4.0 (as we wrote\r\nabove, the most recent version we observed is 5.0).\r\nThe uncovered installer is built with NSIS. When launched, it drops three files:\r\nC:\\ProgramData\\Microsoft\\WwanSvc\\WinSubSvc.exe\r\nC:\\ProgramData\\Microsoft\\MF\\Depending.GRL (in other versions of the installer, this file is also placed\r\nunder C:\\ProgramData\\Microsoft\\MF\\etwdrv.dll)\r\nC:\\ProgramData\\System\\Vault\\etwupd.dfg\r\nAfterwards, it creates a service called “Windows Subsystem Service” that is configured to run the WinSubSvc.exe\r\nbinary on every startup.\r\nIt is worth noting that the installer displays a message with the text “Well done!” after infection:\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 10 of 19\n\nThis may indicate that the installer we discovered is used to deploy CloudWizard via physical access to target\r\nmachines, or that the installer attempts to mimic a Network Settings (as displayed in the window title)\r\nconfigurator.\r\nThe old (4.0) and new (5.0) CloudWizard versions have major differences, as outlined in the table below:\r\nVersion 4.0 Version 5.0\r\nNetwork communication and cryptography\r\nmodules are contained within the main module\r\nNetwork communication and cryptography modules\r\nare separate from each other\r\nFramework source file compilation directory:\r\nD:\\Projects\\Work_2020\\Soft_Version_4\\Service\r\nFramework source file compilation directory: \r\nD:\\Projects\\Work_2020\\Soft_Version_5\\Refactoring\r\nUses RC5 (hard-coded key: 7Ni9VnCs976Y5U4j)\r\nfrom the RC5Simple library for C2 server traffic\r\nencryption and decryption\r\nUses RSA and AES for C2 server traffic encryption\r\nand decryption (the keys are specified in a\r\nconfiguration file)\r\nAttribution magic\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 11 of 19\n\nAfter spending considerable time researching CloudWizard, we decided to look for clues that would allow us to\r\nattribute it to an already known actor. CloudWizard reminded us of two campaigns observed in Ukraine and\r\nreported in public: Operation Groundbait and Operation BugDrop. Operation Groundbait was first described by\r\nESET in 2016, with the first implants observed in 2008. While investigating Operation Groundbait, ESET\r\nuncovered the Prikormka malware, which is  “the first publicly known Ukrainian malware that is being used in\r\ntargeted attacks”. According to ESET’s report, the threat actors behind Operation Groundbait “most likely operate\r\nfrom within Ukraine”.\r\nAs for Operation BugDrop, it is a campaign discovered by CyberX in 2017. In their report, CyberX claims\r\n(without providing strong evidence) that Operation BugDrop has similarities with Operation Groundbait. And\r\nindeed, we have discovered evidence confirming this:\r\nPrikormka USB DOCS_STEALER module (MD5: 7275A6ED8EE314600A9B93038876F853B957B316)\r\ncontains the PDB path D:\\My\\Projects_All\\2015\\wallex\\iomus1_gz\\Release\\iomus.pdb;\r\nBugDrop USB stealer module (MD5: a2c27e73bc5dec88884e9c165e9372c9) contains the PDB path\r\nD:\\My\\Projects_All\\2016\\iomus0_gz\\Release\\usdlg.pdb.\r\nThe following facts allow us to conclude with medium to high confidence that the CloudWizard framework is\r\noperated by the actor behind Operation Groundbait and Operation BugDrop:\r\nESET researchers found the loader of CloudWizard version 4.0 dll (with the export name LCrPsdNew.dll)\r\nto be similar to a Prikormka DLL. The similarity between these two files has been noted in the Virus\r\nBulletin 2019 talk ‘Rich headers: leveraging the mysterious artifact of the PE format’ (slide 42)\r\nSlide 42 of the VB2019 ‘Rich headers: leveraging the mysterious artifact of the PE format’ talk\r\nESET detects a loader of a CloudWizard v. 4 sample (MD5: 406494bf3cabbd34ff56dcbeec46f5d6, PDB\r\npath: D:\\Projects\\Work_2017\\Service\\Interactive Service_system\\Release\\Service.pdb) as\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 12 of 19\n\nWin32/Prikormka.CQ.\r\nAccording to our telemetry data, multiple infections with the Prikormka malware ended with a subsequent\r\ninfection with the CloudWizard framework\r\nImplementation of several modules of CloudWizard resembles the corresponding one from the Prikormka\r\nand BugDrop modules, though rewritten from C to C++:\r\nUSB stealer modules retrieve the serial numbers and product IDs of connected USB devices via the\r\nIOCTL_STORAGE_QUERY_PROPERTY system call. The default fallback value in case of failure\r\nis the same, “undef”.\r\nRetrieval of USB device serial number and product ID in BugDrop (MD5:\r\nF8BDE730EA3843441A657A103E90985E)\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 13 of 19\n\nRetrieval of USB device serial number and product ID in CloudWizard (MD5:\r\n39B01A6A025F672085835BD699762AEC)\r\nAssignment of the ‘undef’ string in BugDrop (left) and CloudWizard (right) in the samples above\r\nThe modules for taking screenshots use the same list of window names that trigger an increase in\r\nthe frequency of screenshot taking: ‘Skype’ and ‘Viber’. CloudWizard and Prikormka share the\r\nsame default value for the screenshot taking interval (15 minutes).\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 14 of 19\n\nComparison of the window title text in Prikormka (MD5:\r\n16793D6C3F2D56708E5FC68C883805B5)\r\nAddition of the ‘SKYPE’ and ‘VIBER’ string to a set of window titles in CloudWizard (MD5:\r\n26E55D10020FBC75D80589C081782EA2)\r\nThe file listing modules in both Prikormka and CloudWizard samples have the same name: Tree.\r\nThey also use the same format string for directory listings: “\\t\\t\\t\\t\\t(%2.2u,%2.2u.%2.2u.%2.2u)\\n”.\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 15 of 19\n\nUse of the same format string for directory listings in Prikormka (above, MD5:\r\nEB56F9F7692F933BEE9660DFDFABAE3A) and CloudWizard (below, MD5:\r\nBFF64B896B5253B5870FE61221D9934D)\r\nMicrophone modules record sound in the same way: first making a WAV recording using Windows\r\nMultimedia API and then converting it to MP3 using the LAME library. While this pattern is\r\ncommon in malware, the strings used to specify settings for the LAME library are specific: 8000 Hz\r\nand 16 Kbps. Both Prikormka and CloudWizard modules extract integers from these strings, using\r\nthem in the LAME library.\r\nA similar order of extensions is used in extension lists found in Prikormka and CloudWizard\r\nmodules:\r\nExtension lists in Prikormka (left, MD5: EB56F9F7692F933BEE9660DFDFABAE3A) and\r\nCloudWizard (right, MD5: BFF64B896B5253B5870FE61221D9934D)\r\nIn Prikormka, the names of files to be uploaded to the C2 server have the name format mm.yy_hh.mm.ss.\r\n\u003cextension\u003e. In CloudWizard, the files have the name format dd.mm.yyyy_hh.mm.ss.ms.dat. The date\r\nsubstituted into the name format strings is retrieved from the GetLocalTime API function.\r\nThe C2 servers of both Prikormka and CloudWizard are hosted by Ukrainian hosting services.\r\nAdditionally, there are similarities between BugDrop and CloudWizard in terms of exfiltrating files to the\r\nDropbox cloud storage.\r\nVictims of Prikormka, BugDrop and CloudWizard are located in western and central Ukraine, as well as\r\nthe area of conflict in Eastern Europe.\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 16 of 19\n\nAs for the similarities between CloudWizard and CommonMagic, they are as follows:\r\nThe code that performs communication with OneDrive is identical in both frameworks. We did not find\r\nthis code to be part of any open-source library. This code uses the same user agent: “Mozilla/5.0 (Windows\r\nNT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36\r\nEdge/12.10136”.\r\nThe same strings in the internet communication module of CloudWizard (left, MD5:\r\n84BDB1DC4B037F9A46C001764C115A32) and CommonMagic (right, MD5:\r\n7C0E5627FD25C40374BC22035D3FADD8)\r\nBoth frameworks, CloudWizard (version 4) and CommonMagic use the RC5Simple library for encryption.\r\nFiles encrypted with RC5Simple start with a 7-byte header, which is set to ‘RC5SIMP’ in the library source\r\ncode. However, this value has been changed in the malicious implants: DUREX43 in CloudWizard and\r\nHwo7X8p in CommonMagic. Additionally, CloudWizard and CommonMagic use the RapidJSON library\r\nfor parsing JSON objects.\r\nNames of files uploaded to the C2 server in CommonMagic have the format mm.dd _hh.mm.ss.ms.dat (in\r\nCloudWizard, the name format is dd.mm.yyyy_hh.mm.ss.ms.dat).\r\nVictim IDs extracted from CloudWizard and CommonMagic samples are similar: they contain a date\r\nfollowed by the two same letters, e.g. 03072020DD, 05082020BB in CloudWizard and\r\nWorkObj20220729FF in CommonMagic.\r\nVictims of CommonMagic and CloudWizard are located in the area of conflict in Eastern Europe.\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 17 of 19\n\nSo what?\r\nWe initiated our investigation back in 2022, starting with simple malicious PowerShell scripts deployed by an\r\nunknown actor and ended up discovering and attributing two large related modular frameworks: CommonMagic\r\nand CloudWizard. As our research demonstrates, their origins date back to 2008, the year the first Prikormka\r\nsamples were discovered. Since 2017, there have been no traces of Groundbait and BugDrop operations. However,\r\nthe actor behind these two operations has not ceased their activity, and has continued developing their\r\ncyberespionage toolset and infecting targets of interest for more than 15 years.\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 18 of 19\n\nIndicators of compromise\r\nNSIS installer\r\nMD5 0edd23bbea61467f144d14df2a5a043e\r\nSHA256 177f1216b55058e30a3ce319dc1c7a9b1e1579ea3d009ba965b18f795c1071a4\r\nLoader (syncobjsup.dll)\r\nMD5 a2050f83ba2aa1c4c95567a5ee155dca\r\nSHA256 041e4dcdc0c7eea5740a65c3a15b51ed0e1f0ebd6ba820e2c4cd8fa34fb891a2\r\nOrchestrator (Main.dll)\r\nMD5 0ca329fe3d99acfaf209cea559994608\r\nSHA256 11012717a77fe491d91174969486fbaa3d3e2ec7c8d543f9572809b5cf0f2119\r\nDomains and IPs\r\n91.228.147[.]23\r\ncurveroad[.]com\r\nSource: https://securelist.com/cloudwizard-apt/109722/\r\nhttps://securelist.com/cloudwizard-apt/109722/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/cloudwizard-apt/109722/" ], "report_names": [ "109722" ], "threat_actors": [ { "id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9", "created_at": "2023-06-23T02:04:34.088425Z", "updated_at": "2026-04-10T02:00:04.573175Z", "deleted_at": null, "main_name": "Bad Magic", "aliases": [ "Bad Magic", "CloudWizard", "RedStinger" ], "source_name": "ETDA:Bad Magic", "tools": [ "CommonMagic", "PowerMagic" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "4989a6be-779c-49fa-9732-51f44b269ee2", "created_at": "2023-01-06T13:46:38.573168Z", "updated_at": "2026-04-10T02:00:03.027853Z", "deleted_at": null, "main_name": "Groundbait", "aliases": [], "source_name": "MISPGALAXY:Groundbait", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61", "created_at": "2023-11-07T02:00:07.086058Z", "updated_at": "2026-04-10T02:00:03.403516Z", "deleted_at": null, "main_name": "RedStinger", "aliases": [ "Bad Magic" ], "source_name": "MISPGALAXY:RedStinger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0be8b203-93b1-4d58-bcc1-1a33e15b06c0", "created_at": "2023-01-06T13:46:38.808048Z", "updated_at": "2026-04-10T02:00:03.108155Z", "deleted_at": null, "main_name": "Operation BugDrop", "aliases": [], "source_name": "MISPGALAXY:Operation BugDrop", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "73446bf0-6d25-4f73-ab37-78c41d19ade9", "created_at": "2022-10-25T16:07:23.961856Z", "updated_at": "2026-04-10T02:00:04.809181Z", "deleted_at": null, "main_name": "Operation Groundbait", "aliases": [], "source_name": "ETDA:Operation Groundbait", "tools": [ "Prikormka" ], "source_id": "ETDA", "reports": null }, { "id": "59abc77c-5d6f-4042-b465-95d2f0857f57", "created_at": "2022-10-25T16:07:23.937297Z", "updated_at": "2026-04-10T02:00:04.795893Z", "deleted_at": null, "main_name": "Operation BugDrop", "aliases": [], "source_name": "ETDA:Operation BugDrop", "tools": [ "Dropbox" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434210, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cbd7e2979140ce092001446e8d53e287550753a1.pdf", "text": "https://archive.orkl.eu/cbd7e2979140ce092001446e8d53e287550753a1.txt", "img": "https://archive.orkl.eu/cbd7e2979140ce092001446e8d53e287550753a1.jpg" } }