OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict
A new Advanced Persistent Threat (APT) group, dubbed 'Bad Magic,' has been identified operating in the context of the Russo-Ukrainian conflict. This campaign involves the use of PowerShell-based techniques (MITRE ATT&CK T1059. 001) for payload delivery and network activity. The threat is currently assessed with low severity and moderate confidence, with no known exploits in the wild or available patches. The campaign appears targeted primarily at Ukrainian entities but may have broader implications given the geopolitical tensions. European organizations with ties to Ukraine or involved in related sectors should be vigilant. The threat leverages OSINT-derived intelligence and demonstrates moderate sophistication. Due to the lack of specific affected software versions or exploits, the immediate risk is limited but warrants monitoring. Mitigation should focus on enhanced detection of PowerShell abuse and network monitoring for suspicious activity.
AI Analysis
Technical Summary
The 'Bad Magic' APT campaign has been uncovered through open-source intelligence (OSINT) sources, linked to the ongoing Russo-Ukrainian conflict. This threat actor employs PowerShell scripting (MITRE ATT&CK technique T1059.001) as a primary method for executing payloads and conducting network operations. PowerShell is a powerful scripting environment native to Windows systems, often abused by attackers for stealthy execution of malicious code. The campaign's technical details are sparse, with no specific affected software versions or known exploits, indicating that the threat is likely in an early or reconnaissance phase. The low severity rating and moderate confidence level suggest limited current impact but potential for escalation. The campaign's focus on network activity and payload delivery implies attempts to establish persistence and lateral movement within targeted networks. No patches or direct remediation steps are available, emphasizing the importance of detection and response capabilities. The threat is contextualized within the geopolitical tensions of the Russo-Ukrainian conflict, highlighting the use of cyber operations as part of hybrid warfare strategies. Indicators of compromise are not publicly disclosed, limiting immediate defensive actions but underscoring the need for vigilance in monitoring PowerShell execution and network anomalies.
Potential Impact
For European organizations, especially those with business, governmental, or humanitarian links to Ukraine, the 'Bad Magic' APT presents a risk of espionage, data exfiltration, and potential disruption. The use of PowerShell scripting can enable attackers to bypass traditional security controls, leading to unauthorized access and lateral movement within networks. Although currently assessed as low severity, the campaign could evolve to target critical infrastructure, diplomatic entities, or supply chains connected to the conflict zone. The geopolitical sensitivity increases the likelihood of targeted attacks against European entities supporting Ukraine or involved in related sectors. Compromise could result in loss of sensitive information, operational disruption, and reputational damage. The absence of known exploits or patches suggests that the threat relies on social engineering or exploitation of misconfigurations rather than zero-day vulnerabilities. Therefore, the impact is contingent on the effectiveness of organizational security posture and incident response capabilities.
Mitigation Recommendations
European organizations should implement enhanced monitoring of PowerShell usage, including logging and analysis of command-line arguments and script execution. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious PowerShell behavior and network anomalies indicative of APT activity. Enforce the principle of least privilege to limit PowerShell execution rights to only necessary users and systems. Utilize application whitelisting to prevent unauthorized scripts from running. Conduct regular threat hunting exercises focused on detecting early signs of APT activity, such as unusual network connections or persistence mechanisms. Maintain up-to-date threat intelligence feeds to correlate emerging indicators related to the 'Bad Magic' campaign. Train staff on recognizing social engineering tactics that may be used to initiate payload delivery. Segment networks to contain potential intrusions and limit lateral movement. Finally, collaborate with national cybersecurity centers and information sharing organizations to stay informed about developments in the Russo-Ukrainian cyber threat landscape.
Affected Countries
Ukraine, Poland, Germany, France, United Kingdom, Estonia, Lithuania, Latvia
Indicators of Compromise
- domain: webservice-srv.online
- domain: webservice-srv1.online
- ip: 185.166.217.184
- hash: 0a95a985e6be0918fdb4bfabf0847b5a
- hash: ecb7af5771f4fe36a3065dc4d5516d84
- hash: 765f45198cb8039079a28289eab761c5
- hash: ebaf3c6818bfc619ca2876abd6979f6d
- hash: 1032986517836a8b1f87db954722a33f
- hash: 1de44e8da621cdeb62825d367693c75e
- hash: 7c0e5627fd25c40374bc22035d3fadd8
- file: Overall.exe
- hash: 9e19fe5c3cf3e81f347dd78cf3c2e0c2
- file: Clean.exe
- hash: ce8d77af445e3a7c7e56a6ea53af8c0d
- file: All.exe
- hash: 1fe3a2502e330432f3cf37ca7acbffac
- hash: 8c2f5e7432f1e6ad22002991772d589b
- file: manutil.vbs
- hash: bec44b3194c78f6e858b1768c071c5db
- file: service_pack.dat
- hash: fee3db5db8817e82b1af4cedafd2f346
- file: attachment.msi
- link: https://securelist.com/bad-magic-apt/109087/
- text: Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions. In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.
- text: Blog
OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict
Description
A new Advanced Persistent Threat (APT) group, dubbed 'Bad Magic,' has been identified operating in the context of the Russo-Ukrainian conflict. This campaign involves the use of PowerShell-based techniques (MITRE ATT&CK T1059. 001) for payload delivery and network activity. The threat is currently assessed with low severity and moderate confidence, with no known exploits in the wild or available patches. The campaign appears targeted primarily at Ukrainian entities but may have broader implications given the geopolitical tensions. European organizations with ties to Ukraine or involved in related sectors should be vigilant. The threat leverages OSINT-derived intelligence and demonstrates moderate sophistication. Due to the lack of specific affected software versions or exploits, the immediate risk is limited but warrants monitoring. Mitigation should focus on enhanced detection of PowerShell abuse and network monitoring for suspicious activity.
AI-Powered Analysis
Technical Analysis
The 'Bad Magic' APT campaign has been uncovered through open-source intelligence (OSINT) sources, linked to the ongoing Russo-Ukrainian conflict. This threat actor employs PowerShell scripting (MITRE ATT&CK technique T1059.001) as a primary method for executing payloads and conducting network operations. PowerShell is a powerful scripting environment native to Windows systems, often abused by attackers for stealthy execution of malicious code. The campaign's technical details are sparse, with no specific affected software versions or known exploits, indicating that the threat is likely in an early or reconnaissance phase. The low severity rating and moderate confidence level suggest limited current impact but potential for escalation. The campaign's focus on network activity and payload delivery implies attempts to establish persistence and lateral movement within targeted networks. No patches or direct remediation steps are available, emphasizing the importance of detection and response capabilities. The threat is contextualized within the geopolitical tensions of the Russo-Ukrainian conflict, highlighting the use of cyber operations as part of hybrid warfare strategies. Indicators of compromise are not publicly disclosed, limiting immediate defensive actions but underscoring the need for vigilance in monitoring PowerShell execution and network anomalies.
Potential Impact
For European organizations, especially those with business, governmental, or humanitarian links to Ukraine, the 'Bad Magic' APT presents a risk of espionage, data exfiltration, and potential disruption. The use of PowerShell scripting can enable attackers to bypass traditional security controls, leading to unauthorized access and lateral movement within networks. Although currently assessed as low severity, the campaign could evolve to target critical infrastructure, diplomatic entities, or supply chains connected to the conflict zone. The geopolitical sensitivity increases the likelihood of targeted attacks against European entities supporting Ukraine or involved in related sectors. Compromise could result in loss of sensitive information, operational disruption, and reputational damage. The absence of known exploits or patches suggests that the threat relies on social engineering or exploitation of misconfigurations rather than zero-day vulnerabilities. Therefore, the impact is contingent on the effectiveness of organizational security posture and incident response capabilities.
Mitigation Recommendations
European organizations should implement enhanced monitoring of PowerShell usage, including logging and analysis of command-line arguments and script execution. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious PowerShell behavior and network anomalies indicative of APT activity. Enforce the principle of least privilege to limit PowerShell execution rights to only necessary users and systems. Utilize application whitelisting to prevent unauthorized scripts from running. Conduct regular threat hunting exercises focused on detecting early signs of APT activity, such as unusual network connections or persistence mechanisms. Maintain up-to-date threat intelligence feeds to correlate emerging indicators related to the 'Bad Magic' campaign. Train staff on recognizing social engineering tactics that may be used to initiate payload delivery. Segment networks to contain potential intrusions and limit lateral movement. Finally, collaborate with national cybersecurity centers and information sharing organizations to stay informed about developments in the Russo-Ukrainian cyber threat landscape.
Technical Details
- Threat Level
- 3
- Analysis
- 1
- Uuid
- f3eda2d3-840b-46ba-ac74-50b68a58b0fe
- Original Timestamp
- 1679481690
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwebservice-srv.online | Distribution servers | |
domainwebservice-srv1.online | Distribution servers |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.166.217.184 | Distribution servers |
Hash
| Value | Description | Copy |
|---|---|---|
hash0a95a985e6be0918fdb4bfabf0847b5a | Lure archives | |
hashecb7af5771f4fe36a3065dc4d5516d84 | Lure archives | |
hash765f45198cb8039079a28289eab761c5 | Lure archives | |
hashebaf3c6818bfc619ca2876abd6979f6d | Lure archives | |
hash1032986517836a8b1f87db954722a33f | Lure archives | |
hash1de44e8da621cdeb62825d367693c75e | Lure archives | |
hash7c0e5627fd25c40374bc22035d3fadd8 | — | |
hash9e19fe5c3cf3e81f347dd78cf3c2e0c2 | CommonMagic cryptography module | |
hashce8d77af445e3a7c7e56a6ea53af8c0d | CommonMagic loader | |
hash1fe3a2502e330432f3cf37ca7acbffac | PowerMagic backdoor | |
hash8c2f5e7432f1e6ad22002991772d589b | PowerMagic loader | |
hashbec44b3194c78f6e858b1768c071c5db | PowerMagic dropper | |
hashfee3db5db8817e82b1af4cedafd2f346 | — |
File
| Value | Description | Copy |
|---|---|---|
fileOverall.exe | — | |
fileClean.exe | CommonMagic cryptography module | |
fileAll.exe | CommonMagic loader | |
filemanutil.vbs | PowerMagic loader | |
fileservice_pack.dat | PowerMagic dropper | |
fileattachment.msi | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://securelist.com/bad-magic-apt/109087/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textSince the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.
In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. | — | |
textBlog | — |
Threat ID: 682acdbebbaf20d303f0e64a
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 12/24/2025, 6:12:49 AM
Last updated: 2/6/2026, 7:51:06 PM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.