{
	"id": "b18c36c8-59a2-4c49-9d0d-9a1955bbb2bf",
	"created_at": "2026-04-06T00:16:40.92174Z",
	"updated_at": "2026-04-10T03:25:40.959325Z",
	"deleted_at": null,
	"sha1_hash": "e25c9bc4347adecd3772ea5d24623750015930fd",
	"title": "Bad Magic, RedStinger - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47746,
	"plain_text": "Bad Magic, RedStinger - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 20:42:22 UTC\nHome \u003e List all groups \u003e Bad Magic, RedStinger\n APT group: Bad Magic, RedStinger\nNames\nBad Magic (Kaspersky)\nRedStinger (Malwarebytes)\nCloudWizard (Kaspersky)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2020\nDescription\n(Kaspersky) In October 2022, we identified an active infection of government,\nagriculture and transportation organizations located in the Donetsk, Lugansk, and\nCrimea regions. Although the initial vector of compromise is unclear, the details of\nthe next stage imply the use of spear phishing or similar methods. The victims\nnavigated to a URL pointing to a ZIP archive hosted on a malicious web server.\nObserved\nSectors: Defense, Food and Agriculture, Government, Transportation.\nCountries: Ukraine.\nTools used CommonMagic, PowerMagic.\nOperations performed\n2020\nUncovering RedStinger - Undetected APT cyber operations in\nEastern Europe since 2020\nMay 2023\nCloudWizard APT: the bad magic story goes on\nInformation Last change to this card: 21 June 2023\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f929ecc7-3be3-4fee-bb7d-3bf5762e6b3d\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f929ecc7-3be3-4fee-bb7d-3bf5762e6b3d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f929ecc7-3be3-4fee-bb7d-3bf5762e6b3d\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f929ecc7-3be3-4fee-bb7d-3bf5762e6b3d"
	],
	"report_names": [
		"showcard.cgi?u=f929ecc7-3be3-4fee-bb7d-3bf5762e6b3d"
	],
	"threat_actors": [
		{
			"id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9",
			"created_at": "2023-06-23T02:04:34.088425Z",
			"updated_at": "2026-04-10T02:00:04.573175Z",
			"deleted_at": null,
			"main_name": "Bad Magic",
			"aliases": [
				"Bad Magic",
				"CloudWizard",
				"RedStinger"
			],
			"source_name": "ETDA:Bad Magic",
			"tools": [
				"CommonMagic",
				"PowerMagic"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61",
			"created_at": "2023-11-07T02:00:07.086058Z",
			"updated_at": "2026-04-10T02:00:03.403516Z",
			"deleted_at": null,
			"main_name": "RedStinger",
			"aliases": [
				"Bad Magic"
			],
			"source_name": "MISPGALAXY:RedStinger",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434600,
	"ts_updated_at": 1775791540,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e25c9bc4347adecd3772ea5d24623750015930fd.pdf",
		"text": "https://archive.orkl.eu/e25c9bc4347adecd3772ea5d24623750015930fd.txt",
		"img": "https://archive.orkl.eu/e25c9bc4347adecd3772ea5d24623750015930fd.jpg"
	}
}