In a previous memo, I mentioned the discovery, made by researchers at Kaspersky, of an active campaign carried out by an advanced threat actor since 2021, targeting multiple organizations in the regions of Donetsk, Lugansk, and Crimea. One of the noteworthy aspects of this campaign was undoubtedly the usage of a new backdoor, called PowerMagic, characterized by the exploitation of the popular cloud storage services, Dropbox and OneDrive, as the command and control infrastructure.
Recently, researchers from Malwarebytes shed some light on the same threat actor, which they dubbed Red Stinger, revealing that the extent of their operation was, in reality, wider than initially thought (going back to at least December 2020 rather than September 2021 as indicated by researchers from Kaspersky). All of the campaigns conducted by the same threat actor have had a lowest common denominator: the exploitation of Dropbox as command and control via the same PowerMagic backdoor, which the Malwarebytes researchers dubbed DBoxShell.
In particular, from late 2020 to the end of 2022, the researchers laid bare five campaigns from the same threat actor targeting objectives in the same area (including the one recently unearthed and described in the previous memo). Despite there being some differences in the attack chain, over the years, the attackers