New findings have shed light on a hacker group known as Bad Magic or Red Stinger, revealing that it has been active for a longer period than previously known. The group has been linked to cyber attacks targeting companies in the Russo-Ukrainian conflict area since at least 2016, with recent evidence showing an expansion of their targets to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine.
The campaign is characterized by the use of a sophisticated modular framework called CloudWizard, enabling activities such as capturing screenshots, recording audio, logging keystrokes, stealing passwords, and harvesting Gmail inboxes.
Kaspersky, a Russian cybersecurity firm, first documented Bad Magic’s activities in March 2023, highlighting their use of the PowerMagic backdoor and the CommonMagic modular framework in attacks against Russian-occupied territories of Ukraine.
Subsequent investigations by Kaspersky and Malwarebytes have revealed a deeper understanding of the group’s tactics, linking them to historical telemetry data and identifying overlaps in source code with other malware, such as Prikormka and BugDrop.
These findings suggest that Bad Magic has been continuously evolving its tools and targeting various victims for over 15 years.
The CloudWizard framework, attributed to Bad Magic, has become a crucial piece in understanding the group’s operations, namely Operation Groundbait and Operation BugDrop. These campaigns primarily targeted anti-government separatists, government officials, politicians, and journalists in Donetsk and Luhansk.
The extensive nature of Bad Magic’s cyber espionage activities, combined with geopolitical factors in the Russo-Ukrainian conflict area, indicates that the group will likely persist with its operations in the foreseeable future.
The latest revelations highlight the persistence and ongoing commitment of the threat actor behind Bad Magic to conduct cyber espionage. As Kaspersky researcher Georgy Kucherin notes, the group has continuously enhanced its toolset and targeted organizations of interest over the past 15 years.
Understanding the origins and motivations of this mysterious group remains a crucial challenge, but each new discovery brings us closer to unraveling the bigger picture of their activities.
