CloudSorcerer

Description

(Kaspersky) In May 2024, we discovered a new advanced persistent threat (APT) targeting Russian government entities that we dubbed CloudSorcerer. It’s a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.

CloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT (Bad Magic, RedStinger) that we reported on in 2023. However, the malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar method of interacting with public cloud services.

Names

Name	Name-Giver
CloudSorcerer	Kaspersky

Country

Unknown

Motivation

Information theft and espionage

First Seen

2024

Observed Sectors

Government

Observed Countries

Russia

Tools

Operations

2024-07: Operation “EastWind” EastWind campaign: new CloudSorcerer attacks on government organizations in Russia https://securelist.com/eastwind-apt-campaign/113345/

Information

https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/

Other Information

Uuid

af7a2561-8bf2-4b5c-a1d3-dbfef92fc0a7

Last Card Change

2024-08-27

Threat Intelligence Garden

Explorer

CloudSorcerer

CloudSorcerer

Description

Names

Country

Motivation

First Seen

Observed Sectors

Observed Countries

Tools

Operations

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks