{
	"id": "71bfed1c-525d-44e5-911f-65dea38e0b86",
	"created_at": "2026-04-06T00:13:41.410579Z",
	"updated_at": "2026-04-10T03:25:40.950687Z",
	"deleted_at": null,
	"sha1_hash": "d5a9b56416720229fec1414e9748ee9ace571827",
	"title": "Uncovering RedStinger – Undetected APT cyber operations in Eastern Europe since 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8514743,
	"plain_text": "Uncovering RedStinger – Undetected APT cyber operations in Eastern\r\nEurope since 2020\r\nPublished: 2023-05-10 · Archived: 2026-04-02 12:47:27 UTC\r\nThis blog post was authored by Malwarebytes’ Roberto Santos and Fortinet’s Hossein Jazi\r\nWhile the official conflict between Russia and Ukraine began in February 2022, there is a long history of physical conflict\r\nbetween the two nations, including the 2014 annexation of Crimea by Russia and when the regions of Donetsk and Luhansk\r\ndeclared themselves independent from Ukraine and came under Russia’s umbrella. Given this context, it would not be\r\nsurprising that the cybersecurity landscape between these two countries has also been tense. \r\nWhile looking for activities from the usual suspects, one of our former coworkers at Malwarebytes Threat Intelligence Team\r\ndiscovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover,\r\nwe started tracking the actor behind it, which we internally codenamed Red Stinger.\r\nThis investigation remained private for a while, but Kaspersky recently published information about the same actor (who it\r\ncalled Bad Magic). Now that the existence of this group is public, we will also share some of our information about the actor\r\nand its tactics.\r\nOur investigation could be helpful to the community as we will provide new undisclosed data about the group. We have\r\nidentified attacks from the group starting in 2020, meaning that they have remained under the radar for at least three years.\r\nAdditionally, we will provide insights into the latest campaigns performed by Red Stinger, where we have found that the\r\ngroup has targeted entities in different places of Ukraine.\r\nArticle continues below this ad.\r\nMilitary, transportation and critical infrastructure were some of the entities being targeted, as well as some involved in the\r\nSeptember East Ukraine referendums. Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives,\r\nkeyboard strokes, and microphone recordings.\r\nFinally, we will reveal unknown scripts and malware run by the group in this report.\r\nTimeline\r\nOur investigation started in September 2022, when one of our former coworkers Hossein Jazi discovered an interesting lure,\r\nthat seemed to target some entities over the war context:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 1 of 24\n\nTweet published by @hjazi in September 2022\r\nIn fact, this is the attack that Kaspersky analyzed in its blog. However, this was not the only activity carried out by the\r\ngroup. Malwarebytes has identified multiple operations, first dated in 2020. The next infographic shows some of the\r\noperations recognized by us:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 2 of 24\n\nOperations performed by Red Stinger\r\nSince our investigation started in September 2022, information about the initial campaigns has been limited. However, the\r\nactor’s tactics, techniques, and procedures (TTPs) are very distinctive, which gives us a high level of confidence in our\r\nattribution.\r\nNotes about activity before the war\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 3 of 24\n\nOP#1 – Late 2020\r\nThe first operation we know of happened in December 2020. Although the infection chain is similar to what was already\r\nreported, the attackers were using a slightly different process back in 2020:\r\nOP#1 Infection phase\r\nAn MSI file is downloaded from hxxp://91.234.33.185/f8f44e5de5b4d954a83961e8990af655/update.msi. This first MSI\r\nfile, when executed, will show the following error to the user:\r\nMSI file used in OP#1\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 4 of 24\n\nIn the background, this MSI file will execute a .vbs file that runs a dll file. The content is encoded using base64:\r\nContents of zip file and detail of shortcut.vbs\r\nSo finally, cachelib.dll will be executed. That file will drop two files named iesync.so and iesync.vbs.\r\niesync.so and iesync.vbs were dropped as part of OP#1 infection phase\r\nAfter that, the iesync.vbs file will apply a XOR operation to iesync.so. After applying that conversion to the file, we can see\r\nthat this file is what we called DBoxShell (also called PowerMagic by Kaspersky):\r\nDboxShell variant used in OP#1\r\nOP#2 – April 2021\r\nWe believe that the attack started with this zip file named ПОСТАНОВЛЕНИЕ № 583-НС.zip. How attackers sent this file\r\nto victims is still unknown. The lure in this case was themed about Luhansk:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 5 of 24\n\nLure used in OP#2\r\nA valid translation of this document would be:\r\nRESOLUTION\r\ndated March 25, 2021 No. 584-NS\r\nLugansk\r\nOn consideration in the second reading of the draft law\r\nof the Luhansk People’s Republic dated March 19, 2021 No 417-PZ / 21-3\r\n“On Amendments to the Law of the Luhansk People’s Republic\r\n“On physical culture and sports”\r\nПОСТАНОВЛЕНИЕ № 583-НС.zip contains a lnk file as well as the previous pdf. This .lnk file will download an MSI file\r\nfrom the url hxxp://91.234.33.108/u3/ebe9c1f5e5011f667ef8990bf22a38f7/document.msi, and from there, the attack is\r\npretty similar as the one performed in OP#1. Just a few differences to note, for example, in this case the dll used is named\r\nlibsys.dll.\r\nDll used  at infection phase in OP#2\r\nAlso, as the image shows, paths used the folder winappstorepackage or WinStoreApps instead of CacheWidgets, that was\r\nused in OP#1. Also, the powershell script is slightly different in this case:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 6 of 24\n\nPowershell snippet run in OP#2\r\nNevertheless, the infection phase finally used DBoxShell, as before.\r\nOP#3 – September 2021\r\nWe have very little information about this operation, but based on the TTPs, we have identified overlapping techniques with\r\nboth previous and subsequent attacks.\r\nMSI files usage is a known signature from the group. Also, the MSI file was downloaded from\r\nhxxp://185.230.90.163/df07ac84fb9f6323c66036e86ad9a5f0d118734453342257f7a2d063bf69e39d/attachment.msi.\r\nNote the common pattern in urls.\r\n185.230.90.163 belongs to ASN number 56485. All IPs used from 2020 till now belong to the same ASN.\r\nVT telemetry showed common patterns with OP#2.\r\nActivity at the onset of war\r\nAfter the war began, we collected information about two distinct operations.  \r\nOP#4 – February 2022\r\nOP#4 is perhaps one of the most interesting attacks performed by the group. As you can see in the following lines, this\r\nattack still has some characteristics that led us to attribute it to Red Stinger. Furthermore, the attack has some unique features\r\nthat make it stand out as one of the most interesting ones.\r\nIn this case, the group used hxxp://176.114.9.192/11535685AB69DB9E1191E9375E165/attachment.msi to download the\r\nmalicious MSI file. Note once more this common pattern in all URLs used by the group. This MSI file contained a PDF, a\r\n.vbs file, and a .dat file:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 7 of 24\n\nLure used in OP#4\r\nThe group followed a similar infection chain as in previous operations. Finally, a .vbs file was responsible for XORing and\r\nexecuting a .dat file, which contained a small loader and a variant of DBoxShell:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 8 of 24\n\nDboxShell variant used in OP#4\r\nDBoxShell is malware that utilizes cloud storage services as a command and control (C\u0026C) mechanism. This stage serves as\r\nan entry point for the attackers, enabling them to assess whether the targets are interesting or not, meaning that in this phase\r\nthey will use different tools.\r\nA better look of how RedStinger operates can be seen in the next infographic:\r\nCommon pattern in Red Stinger operations\r\nAfter the infection phase, we are aware that actors dropped at least the following artifacts:\r\nSolarTools\r\nIn the reconnaissance phase, we noticed the execution of 2 MSI files named SolarTools.msi and Solar.msi. Both had inside\r\ntools named ngrok.exe and rsockstun.exe:\r\nNgrok.exe is a legitimate tool that allows web developers to deploy applications and expose services to the internet.\r\nOther groups also used ngrok for malicious purposes.\r\nRsockstun is a tool that allows attackers to route connections through external proxies.\r\nMore important, we have seen the same version of Solar.msi (02f84533a86fd2d689e92766b1ccf613) on OP#4 and OP#5,\r\nallowing us to connect the dots between these two attacks.\r\nvs_secpack.msi\r\nIn addition to SolarTools, starting the exfiltration phase, we also found another file named vs_secpack.msi. This file contains\r\ntwo files: ntinit.exe and ntuser.dat, which will be located under c:/ProgramData/NativeApp. Ntinit.exe is a file that was\r\ndeveloped as a Windows Service, named ntmscm.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 9 of 24\n\nService created by ntinit.exe\r\nInside that service, eventually a thread will be executed. This thread contains all the functionality. Its main purpose is to\r\nexecute one of the binaries hidden inside ntuser.dat, after some parsing. Also, it will execute C:/ProgramData/user.dat, if\r\nfound.\r\nvs_secpack.msi will drop ntuser.dat and ntinit.exe files\r\nNtuser.dat is an aggregation of PE files with a leading header and a final chunk. These executables are xored, each one with\r\na different value. The next image shows the header:\r\nDetail of Ntuser.dat header\r\nThis header can be seen as a C structure, defined like this:\r\nstruct head_FirstChunk{\r\n    DWORD signature;\r\n    DWORD osInstallDate;\r\n    int sizeMz1;\r\n    int sizeMz2;\r\n    int sizeMz3;\r\n    int sizeMz4;\r\n    int sizeConfig;\r\n    DWORD xorValsMZ1;\r\n    DWORD xorValsMZ2;\r\n    DWORD xorValsMZ3;\r\n    DWORD xorValsMZ4;\r\n}\r\nFollowing this header, four PE files are stored consecutively and XORed. As the previous structure shows, the size and XOR\r\nvalue used to decode these files can be recovered from the header.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 10 of 24\n\nntuser.dat contents\r\nWe won’t analyze all MZs one by one, as we want to avoid overwhelming the reader with technical details that are out of\r\nscope. For a quick reference, the first MZ was a copy of ntinit.exe and the second was a dll capable of injecting files using\r\nthe Process Doppelganging technique. Curiously, InjectorTransactedHollow.dll string was found inside the binary, so\r\npossibly that was how attackers named the file originally:\r\nProcess Hollowing technique was used to perform injections in OP#4\r\nThe third was also used for injection purposes. The fourth was the most interesting, because it communicates with a new\r\nDropbox account. Some of these will be injected or used to inject MZs into legitimate process mobisync.exe\r\nFinally, the last chunk of ntuser.dat was a configuration file. The configuration was encrypted, and looked like this:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 11 of 24\n\nConfig file forms the end of ntuser.dat\r\nThat configuration was encrypted using AES. The IV is the first 16 bytes of the config. The key can be recovered from the\r\nfourth MZ. In fact, this executable will use this configuration to communicate with Dropbox.\r\nDecrypted configuration is shown next:\r\nDecrypted config file\r\nThis configuration is pretty representative of the group’s motivation. First of all, we see a new Dropbox account being used.\r\nThis Dropbox account will be used to gather exfiltrated victims data. It can be seen like the exfiltration phase starts here.\r\nNote that attackers will use one account for reconnaissance and a different one for exfiltration.\r\nThe object field was also revealing. It contained a Russian name (redacted for privacy) followed by the DNR letters\r\n(probably Donetskaya Narodnaya Respublika, referring to one of the cities declared independent in 2014, and a known\r\ntarget to the group). Victimology will be discussed later.\r\nOP#5\r\nOP#5 was the last known activity we will cover. As Kaspersky already revealed some technical details about this operation,\r\nwe won’t repeat that analysis again. A link to the analysis made by them can be found at the beginning of this report.\r\nWhat we can do here is provide some extra insights regarding the attack. Let’s start at the Reconnaissance phase.\r\nReconnaissance phase starts right after DBoxShell / GraphShell is executed. This is the GraphShell version used in OP#5:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 12 of 24\n\nOP#5 used GraphShell instead of DBoxShell\r\nThe way GrapShell works is pretty simple, and also can be almost guessed by viewing the image. A folder tree is created:\r\nRoot\r\n       ___ AmazonStore\r\n                             ___ clients\r\n                             ___ tasks\r\n                             ___results\r\nAnd as DBoxShell does, clients will hold heartbeats from clients, tasks will store tasks that will be executed at some point\r\nby victim systems, and results will be uploaded to results.\r\nDETAIL – RECONNAISSANCE PHASE\r\nAs we were actively tracking the actors for a while, we managed to recover most of the actions performed by the attackers at\r\nthis phase:\r\nSupport app\r\nused\r\nDate (UTC) Event\r\n  2022-09-23 Investigation starts\r\n  2022-09-24T02:53 Документи (Documents) folder is created in OneDrive\r\n  2022-09-24T02:53 Програми (Programs) folder is created in OneDrive\r\n  2022-09-24T02:53 JimmyMorrison43 folder is created under Documents, in OneDrive\r\n  2022-09-24T02:54 Робочий стіл (Desktop) folder is created in OneDrive\r\nListFiles 2022-09-24T10:25\r\nAttackers sent a command to victim #1. Attackers were trying to list user files, as show\r\nimage\r\nStartNgrok#1 2022-09-24T10:56\r\nAttackers sent another command to victim #1.This command is a powershell script wit\r\nlines, which executes SolarTools/ngrok.exe.\r\n  2022-09-25T16:09 An additional victim was found infected (Victim #4)\r\n  2022-09-27T10:01 An additional victim was found infected (Victim #5)\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 13 of 24\n\nSupport app\r\nused\r\nDate (UTC) Event\r\n  2022-09-28T05:07 An additional victim was found infected (Victim #6)\r\n  2022-09-28T05:17 An additional victim was found infected (Victim #7)\r\nSysInfo 2022-09-28T06:14 A new command is sent to Victim #6. The command looks to be a basic reconnaisance\r\n  2022-09-28T06:14 ListFiles performed to Victim #6\r\nSysInfo 2022-09-28T06:15 A new command is sent to Victim #7. The command looks to be a basic reconnaisance\r\n  2022-09-28T06:15 ListFiles performed to Victim #7\r\nStartNgrok#2 2022-09-28T07:54\r\nAttackers shown interest in Victim #6. They have installed an ngrok application to them\r\ndownloaded\r\nfromhxxp://185.166.217.184:2380/ApplicationSolarInstall_q3457y3487wy4t4bheors/S\r\nStartNgrok#1 2022-09-28T07:55 Attackers executed ngrok powershell in Victim #6 machine.\r\n  2022-09-28T08:22 An additional victim was found infected (Victim #8)\r\n  2022-09-28T11:37 An additional victim was found infected (Victim #9)\r\n  2022-09-28T13:21 An additional victim was found infected (Victim #10)\r\nListVars\r\n2022-09-\r\n28T17:38:43\r\nA new task is sent to Victim #8\r\nListVars\r\n2022-09-\r\n28T17:48:12\r\nNew task to Victim\r\nInstallNewPZZ 2022-09-29T06:58 InstallNewPZZ.ps1 was sent to Victim#6\r\nInstallNewPZZ 20220929_06:59:21 InstallNewPZZ.ps1 was sent to Victim#1\r\nInstallNewPZZ 20220929_06:59:49 InstallNewPZZ.ps1 was sent to Victim#4\r\nInstallNewPZZ 20220929_07:00:28 InstallNewPZZ.ps1 was sent to Victim#7\r\nInstallNewPZZ 20220929_07:06:22 InstallNewPZZ.ps1 was sent again to Victim#1\r\n  20220929_07:11:30 ps command was sent to Victim#6\r\n  20220929_07:11:45 ps command was sent to Victim#7\r\n  20220929_07:13:13 All.exe and ps was executed in Victim#6\r\n  20220929_07:13:30 All.exe and ps was executed in Victim#7\r\n  20220929_07:20:20 ps executed again in Victim#6\r\n  20220929_07:21:45 ls -r “C:ProgramDataCommonCommand”  executed in Victim#6\r\n  MISSED FILE [MISSED FILE] – probably schtasks /query\r\n  20220929_07:25:08 schtasks /run /tn “Synchronization  App” and ps executed in Victim#6\r\n  20220929_07:27:11 schtasks /run /tn “Synchronization  App” and ps executed in Victim#7\r\n  20220929_07:30:23 ls -r “C:ProgramDataCommonCommand”  and schtasks /query sent to Victim#7\r\nInstallNewPZZ 20220929_07:33:34 InstallNewPZZ.ps1 modification sent to Victim#7\r\n  20220929_07:35:41 ls -r “C:ProgramDataCommonCommand” ,  schtasks /query and ps sent to Victim#7\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 14 of 24\n\nSupport app\r\nused\r\nDate (UTC) Event\r\nInstallNewPZZ 20220929_08:01:30 InstallNewPZZ.ps1 modification sent to Victim#7\r\n  20220929_08:03:16 ls -r “C:ProgramDataCommonCommand” ,  schtasks /query and ps sent to Victim#7\r\nSysInfo 20220929_08:05:27 sysinfo.ps1 sent to Victim#1\r\nInstallNewPZZ 20220929_08:16:38 InstallNewPZZ.ps1 sent to Victim#8\r\n  20220929_08:17:17 ls -r “C:ProgramDataCommonCommand”  and ps sent to Victim#7\r\n  20220929_08:19:07 sysinfo.ps1 sent to Victim#1\r\n  20220929_08:27:07 ls “C:Program Files (x86)Internet  Explorer” sent to Victim#7\r\nInstallNewPZZ 20220929_08:30:17 InstallNewPZZ.ps1 sent to Victim#7\r\n  20220929_08:34:27 ls -r “C:ProgramDataCommonCommand”  sent to Victim#7\r\nInstallNewPZZ 20220929_08:35:33 InstallNewPZZ.ps1 modification sent to Victim#7\r\n  20220929_08:38:13 ls C:ProgramData sent to Victim#1\r\nInstallNewPZZ 20220929_08:38:57 InstallNewPZZ.ps1 modification sent to Victim#7\r\nInstallNewPZZ 20220929_08:41:12 InstallNewPZZ.ps1 modification sent to Victim#7\r\nInstallNewPZZ 20220929_08:41:10 InstallNewPZZ.ps1 modification sent to Victim#1\r\nInstallNewPZZ 20220929_09:53:07 InstallNewPZZ.ps1 modification sent to Victim#2\r\n  20220929_11:41:06 ls -r “C:ProgramDataCommonCommand”  and schtasks /query sent to Victim#2\r\nInstallNewPZZ 20220929_11:44:52 InstallNewPZZ.ps1 modification sent to Victim#2\r\n  20220929_11:46:09 ps sent to Victim#2\r\nInstallNewPZZ 20220929_12:42:48 InstallNewPZZ.ps1 modification sent to Victim#2\r\n  20220929_12:43:02 ls -r “C:ProgramDataCommonCommand”  sent to Victim#7\r\n  20220930_06:10:41 StartNgrok.ps1\r\nInstallNewPZZ 20220930_06:17:40 InstallNewPZZ.ps1 modification sent to Victim#1\r\n  20220930_06:18:01 ls -r “C:ProgramDataCommonCommand”  and schtasks /query sent to Victim#7\r\nInstallNewPZZ 20220930_06:22:50 InstallNewPZZ.ps1 modification sent to Victim#7\r\nInstallNewPZZ 20220930_06:24:10 InstallNewPZZ.ps1 modification sent to Victim#7\r\n  20221003_07:28:08 AppsJustForFunNoMatterWhatYouWant sent to Victim#1\r\nLd_dll_loader 20221003_07:28:24 ld_dll_loader.ps1 executed in Victim#1\r\n  20221003_07:28:41 ls “C:ProgramData” and ps executed  in Victim#1\r\nLd_dll_loader 20221003_07:28:57 ld_dll_loader.ps1 executed in Victim#2\r\nLd_dll_loader 20221003_07:42:51 ld_dll_loader.ps1 executed in Victim#2\r\n  20221003_07:43:07 ls “C:ProgramData” and ps executed  in Victim#2\r\nStartRevSocks 20221005_14:25:50 StartRevSocks.ps1 was executed at Victim#3 \r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 15 of 24\n\nSupport app\r\nused\r\nDate (UTC) Event\r\n  20221007_07:32:24 New Client\r\n  20221007_14:46:49 New Client \r\nBelow are indicated some of the scripts used in this phase:\r\nListFiles\r\nStartNgrok\r\nReconnaissance\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 16 of 24\n\nInstallPZZ\r\nLd_dll_loader\r\nStartRevSocks\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 17 of 24\n\nAfter that, by using some of the tooling analyzed by Kaspersky, the exfiltration phase starts.\r\nVictimology\r\nOP#4\r\nAs this operation happened before our investigation started, we cannot determine how many victims were infected.\r\nHowever, at the time we began monitoring, we still had information about two victims. Surprisingly, these two victims were\r\nlocated in central Ukraine. This is interesting because all the information had previously pointed to East Ukraine, where the\r\nDonbass region is located.\r\nMap of Ukraine, where known targets in OP#4 were highlighted\r\nOne of the victims was a military target, but the activity on this target was only carried out for a few hours. We have reason\r\nto believe that the user noticed something wrong, and executed an antimalware solution shortly after being infected, which\r\nlikely detected and cleaned the system. \r\nAs far as we know, attackers managed to exfiltrate on this target several screenshots, microphone recordings and some office\r\ndocuments.\r\nThe other victim we found was located in Vinnitsya. Target was an officer working in critical infrastructure. Attackers made\r\na great and long surveillance of this victim, which extended until Jan 2023. They have exfiltrated screenshots, microphone\r\nand office documents, but also keystrokes were uploaded.\r\nOP#5\r\nWith the victimology shared in OP#4, we may think that this was a group targeting only UA-aligned entities. However, the\r\nanalysis of OP#5 revealed an interesting fact: it mainly targeted RU-aligned entities.\r\nREFERENDUM TARGETS\r\nOP#5 started in September 2022. Back in those days, Russia made referendums at Luhansk, Donetsk, Zaporizhzhia and\r\nKherson. While that was happening, Red Stinger targeted and made surveillance to officers and individuals involved in\r\nthose elections. \r\nTwo victims attacked in OP#5 were workers at Yasinovataya Administration (Donetsk). Another victim was also part of\r\nDPR administration, in Port Mariupol. All of them were performing different activities regarding elections. We also have\r\nfound one victim holding the advisor position from CEC (Central Election Commission). According to Wikipedia, “The\r\nCentral Election Commission of the Russian Federation (Russian: Центральная избирательная комиссия Российской\r\nФедерации, abbr. ЦИК, also Центризбирком) is the superior power body responsible for conducting federal elections and\r\noverseeing local elections in the Russian Federation”.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 18 of 24\n\nCentral Election Commission of the Russian Federation (CIK) stamp\r\nRegarding CEC, we had seen another victim codenamed CIK_03D502E0. CIK is also another term that could refer to CEC.\r\nAttackers showed great interest in this one, as this victim was one of the only ones with its own name (some were just\r\nidentified by using a drive ID). Also, USB drives from that victim were uploaded. Next image shows a small fraction of\r\nfilenames exfiltrated by the attackers. To clarify, TИK probably stands for TEC (Territorial Election Commision).\r\nDetail of exfiltrated USB from CIK_03D502E0\r\nReconnaissance phase also revealed some nice info. DNS records obtained from another victim showed mail.gorod-donetsk.org, pop.gorod-donetsk.org, which could suggest that the victim was part of DPR administration. \r\nFrom that same victim, those DNS records revealed connections against xn--j1ab.xn--b1adbccegehv4ahbyd6o2c.xn--p1ai\r\n(лк[.]лидерывозрождения[.]рф) translate Revival Leaders. That website was created “in behalf of Putin”, and is a contest\r\nto find potential leaders and fill out positions at Kherson, Zaporozhye, DPR and Lugansk. It is unclear which positions will\r\nbe filled by that, but winners were promised to get 1.000.000 rubles for a personally chosen training program in the Russian\r\nFederation.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 19 of 24\n\nлк[.]лидерывозрождения[.]рф webpage photo\r\nOTHER VICTIMS\r\nIn addition to the victims involved in the September referendums, we also identified two other victims that did not seem to\r\nbe related to the elections. One of them appeared to be related to the transportation ministry or equivalent, codenamed by the\r\nattackers as ZhdDor, which could be translated as “railroad.” We also found additional data that suggested that the attackers\r\ncould be interested in transportation.\r\nFurthermore, we discovered that a library in Vinnitsya was infected in OP#5. Although this victim was UA-aligned, we do\r\nnot understand why it was a target, especially since it was the only UA entity targeted in OP#5. However, it is worth noting\r\nthat in OP#4, an entity located in Vinnitsya was also targeted.\r\nEASTERN EGG\r\nFinally, we have 2 victims named TstSCR and TstVM. It turns out that attackers, at some point, infected their own machines\r\nin order to carry out some testing, or by mistake.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 20 of 24\n\nExfiltrated screenshot showing one of the attacker’s machine\r\nThis first image is a good example of that. First of all, we noticed that the keyboard language was set to ENG, which is\r\nunexpected. This may suggest that the group was composed of native English speakers. However, we find it strange because\r\nof the way they named the project folder (internet_WORK). We cannot be certain, but we believe that no native speaker\r\nwould use that naming convention.\r\nExfiltrated screenshot showing one of the attacker’s machine while debugging Overall.exe\r\nThis second image is also nice to show. As you may notice, this is the source code of the file Overall.exe (reported by\r\nresearchers), while being debugged. Also, some of the victim folders we named in this report are shown as part of the\r\nsources.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 21 of 24\n\nExfiltrated screenshot showing one of the attacker’s machine. Some internal paths were shown in that\r\nscreenshot.\r\nFor the account TstVM we choose this screenshot. In this case, attackers were developing a tool they use to tunnel victim\r\ncommunications. It can be seen (redacted) how source code reveals external IP addresses used by them, as some internal\r\nones, naming for machines that we have not redacted and even passwords.\r\nAnalysis of these machines also revealed the usage of the application AdvOr, used for tunneling communications through\r\nTOR.\r\nAttribution\r\nIn this case, attributing the attack to a specific country is not an easy task. Any of the involved countries or aligned groups\r\ncould be responsible, as some victims were aligned with Russia, and others were aligned with Ukraine.\r\nWhat is clear is that the principal motive of the attack was surveillance and data gathering. The attackers used different\r\nlayers of protection, had an extensive toolset for their victims, and the attack was clearly targeted at specific entities. Perhaps\r\nin the future, further events or additional activity from the group can shed light on the matter.\r\nIndicators of Compromise\r\nOP#1\r\nType   SHA256\r\nHost 91[.]234.33.185\r\nLNK 41589c4e712690af11f6d12efc6cca2d584a53142782e5f2c677b4e980fae5bd\r\nMSI C68ce59f73c3d5546d500a296922d955ccc57c82b16ce4bd245ca93de3e32366\r\nDLL 9e73dacedf847410dd4a0caa6aac83d31f848768336514335d4872d0fde28202\r\nDLL B6491d99d7193499a320bf6ad638146193af2ced6128afe8af3666a828f1b900\r\nB2c2b232bc63c8feb22b689e44ce2fb5bf85f228fef665f2f1517e542e9906c6\r\nA924dd46b6793ec82e1f32e3fb4215295e21c61eaafc7995cb08c20c5fbadc47\r\nOP#2\r\nType   SHA256\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 22 of 24\n\nHost 91[.]234.33.108\r\nZIP 301e819008e19b9803ad8b75ecede9ecfa5b11a3ecd8df0316914588b95371c8\r\nLNK D956f2bf75d2fe9bf0d7c319b22a834976f1786b09ff1bba0d2e26c771b19ca2\r\nDLL 9a6d4ac64fa6645c58a19b8c8795a8cb586b82f6a77aaf8f06eb83ba1f1390e8\r\n2643B38BDAD89168BAEA4226DD6496B91ED283330B2C5D8CA134BEFA796E0F34\r\n1FA2B3315FB2A12E65FD5258D1395597101F225E7BC204F672BCF253C82AEA55\r\nOP#3\r\nType   SHA256\r\nHost 185[.]230.90.163\r\nOP#4\r\nType   SHA256\r\nHost 45[.]154.116.147\r\nHost 176[.]114.9.192\r\nMSI 2ac977e6883405e68671d523eab41fe4162b0a20fac259b201ac460a691d3f79\r\nPowerShell 78634be886ccb3949c8e5b8f0893cff32c474a466e4d4ceba35ba05c3d373bff\r\nF7437b4b011e57394c264ed42bb46ad6f2c6899f9ca62f507bebbff29f2a3d3f\r\nDfc1e73685d3f11a3c64a50bb023532963807193169d185584f287aa8ce22a8b\r\nEXE Ce9af73be2981c874b37b767873fa4d47219810e2672bf7e0b5af8c865448069\r\nFbe650223893284282e0be8f7719b554ff7a1d9fbbc72d3e17a47a9a1ceb6231\r\nDfa442780702863bf5c71af0c475743eef754743c3d0336ff8c5032a30f30dc0\r\n12f16409b6191e3b2c5fd874cca5010711347d28900c108506dbc7f4d403c365\r\nOP#5\r\nType   SHA256\r\nHost 185[.]166.217.184\r\nZIP 961c52567232c1f98c04b1e605c34b0309ff280afe01e1a31384589e30eccf05\r\nLNK Fb48b9102388620bb02d1a47297ba101f755632f9a421d09e9ab419cbeb65db8\r\nMSI 9c16cf1f962bf736e3d6fb9ec3a37bb6f92c5f6cb1886d4332694ccc94735de8\r\nVBS 78634be886ccb3949c8e5b8f0893cff32c474a466e4d4ceba35ba05c3d373bff\r\nMSI 4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51\r\nZIP 22bb73e97b01be2e11d741f3f4852380b3dae91d9ac511f33de8877a9e7c0534\r\nLNK C75d905cd7826182505c15d39ebe952dca5b4c80fb62b8f7283fa09d7f51c815\r\nF405a26904d2f6aaf4ff5f24dc345a24751d13b691a0bf17ba8c94f08ebb8b5b\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 23 of 24\n\nAa0e722832b1a039c96fd9ff169df8f48419f48e1dacf88633a5c561e6db0ba5\r\n8aa19e3654f6c26b6c564a8103781174abc540384b20f645e87531c754814cf1\r\n0e4b133fe7562fe5a65a8b7463f0c4f69d951f18d351cafe44e5cae393392057\r\nEXE Bc93ef8e20f2a9a8799934d629fe494d5d82ea49e06ed8fb00ea6cc2e96f407e\r\nEXE 82e4b4fddf5ea7b7c846d44bcc24d75edcec5726dfa5b81b9f43387a1fc1922a\r\n332f6e99403841998f950ce2543b4a54c78aace2a2e1901b08917f63c7faa2f4\r\nEXE 052309916380ef609cacb7bafbd71dc54b57f72910dca9e5f0419204dba3841d\r\nEXE D6b5f48d4e94207a5a192c1784f9f121b59311bfd6a5e94be7c55b0108c4ed93\r\nEXE 4a5f9f62ef8dfae47b164a4d46d242a19a11061284325e560df22b4da44bb97d\r\nEXE 70801ef4f485ba4eb8a76da0d50fc53563d82fdf37951b421b3ae864a04ccd1c\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger\r\nPage 24 of 24\n\n https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger \nSupport app  \n Date (UTC) Event\nused  \n 20221007_07:32:24 New Client\n 20221007_14:46:49 New Client\nBelow are indicated some of the scripts used in this phase:\nListFiles  \nStartNgrok  \nReconnaissance  \n  Page 16 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger"
	],
	"report_names": [
		"redstinger"
	],
	"threat_actors": [
		{
			"id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9",
			"created_at": "2023-06-23T02:04:34.088425Z",
			"updated_at": "2026-04-10T02:00:04.573175Z",
			"deleted_at": null,
			"main_name": "Bad Magic",
			"aliases": [
				"Bad Magic",
				"CloudWizard",
				"RedStinger"
			],
			"source_name": "ETDA:Bad Magic",
			"tools": [
				"CommonMagic",
				"PowerMagic"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61",
			"created_at": "2023-11-07T02:00:07.086058Z",
			"updated_at": "2026-04-10T02:00:03.403516Z",
			"deleted_at": null,
			"main_name": "RedStinger",
			"aliases": [
				"Bad Magic"
			],
			"source_name": "MISPGALAXY:RedStinger",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434421,
	"ts_updated_at": 1775791540,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5a9b56416720229fec1414e9748ee9ace571827.pdf",
		"text": "https://archive.orkl.eu/d5a9b56416720229fec1414e9748ee9ace571827.txt",
		"img": "https://archive.orkl.eu/d5a9b56416720229fec1414e9748ee9ace571827.jpg"
	}
}