December 9, 2023

Researchers have spotted that the CommonMagic malware implant has been associated with a previously unknown  APT campaign linked to the Russo-Ukrainian conflict and relies on a new modular framework called as CloudWizard

The sections of the CloudWizard code were identical to CommonMagic as they employed the same encryption library, followed a similar file naming format, and shared victim locations. It is believed that they are responsible for malicious campaign known as Operation Groundbait and Operation BugDrop.

The researchers said CloudWizard victims were not limited to the Donetsk, Lugansk and Crimea regions of Ukraine but also included central and western areas. The targets encompassed individuals, diplomatic entities, and research organizations.


After obtaining the CloudWizard’s orchestrator and its modules, through the older telemetry data, researchers identified multiple installers that were used from 2017 to 2020. The version of the implant installed at that time was 4.0

The uncovered installer is built with NSIS. When launched, it drops three files:

  • C:\ProgramData\Microsoft\WwanSvc\WinSubSvc.exe
  • C:\ProgramData\Microsoft\MF\Depending.GRL (in other versions of the installer, this file is also placed under C:\ProgramData\Microsoft\MF\etwdrv.dll)
  • C:\ProgramData\System\Vault\etwupd.dfg

Afterwards, it creates a service called “Windows Subsystem Service” that is configured to run the WinSubSvc.exe binary on every startup. It is worth noting that the installer displays a message with the text “Well done!” after infection:

CloudWizard offers nine modules, collectively delivering various hacking capabilities, including file gathering, keylogging, screenshot capture, microphone input recording and password theft. It can also extract Gmail cookies from browser databases and then access and smuggle activity logs, contact lists and all email messages associated with the targeted accounts.

The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyber-espionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years.


Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future.

Thi research was documented by researchers from Kaspersky

Indicators of Compromise

  • 177f1216b55058e30a3ce319dc1c7a9b1e1579ea3d009ba965b18f795c1071a4
  • 041e4dcdc0c7eea5740a65c3a15b51ed0e1f0ebd6ba820e2c4cd8fa34fb891a2
  • 11012717a77fe491d91174969486fbaa3d3e2ec7c8d543f9572809b5cf0f2119
  • 91.228.147[.]23
  • curveroad[.]com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.