Red Stinger

A previously undetected advanced persistent threat (APT) actor dubbed Red Stinger has been linked to attacks targeting Eastern Europe since 2020.

"Military, transportation, and critical infrastructure were some of the entities being targeted, as well as some involved in the September East Ukraine referendums," Malwarebytes disclosed in a report published today.

"Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings."

Red Stinger overlaps with a threat cluster Kaspersky revealed under the name Bad Magic last month as having targeted government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea last year.


While there were indications that the APT group may have been active since at least September 2021, the latest findings from Malwarebytes push the group's origins back by nearly a year, with the first operation taking place in December 2020.

The attack chain, over the years, have leveraged malicious installer files to drop the DBoxShell (aka PowerMagic) implant on compromised systems. The MSI file, for its part, is downloaded by means of a Windows shortcut file contained within a ZIP archive.

Subsequent waves detected in April and September 2021 have been observed to leverage similar attack sequences, albeit with minor variations in the MSI file names.

A fourth set of attacks coincided with the onset of Russia's military invasion of Ukraine in February 2022. The last known activity associated with Red Stinger took place in September 2022, as documented by Kaspersky.

"DBoxShell is malware that utilizes cloud storage services as a command-and-control (C&C) mechanism," security researchers Roberto Santos and Hossein Jazi said.

Red Stinger

"This stage serves as an entry point for the attackers, enabling them to assess whether the targets are interesting or not, meaning that in this phase they will use different tools."

The fifth operation is also notable for delivering an alternative to DBoxShell called GraphShell, which is so named for its use of the Microsoft Graph API for C&C purposes.

The initial infection phase is followed by the threat actor deploying additional artifacts like ngrok, rsockstun (a reverse tunneling utility), and a binary to exfiltrate victim data to an actor-controlled Dropbox account.

The exact scale of the infections are unclear, although evidence points to two victims located in central Ukraine – a military target and an officer working in critical infrastructure – who were compromised as part of the February 2022 attacks.


In both instances, the threat actors exfiltrated screenshots, microphone recordings, and office documents after a period of reconnaissance. One of the victims also had their keystrokes logged and uploaded.

The September 2022 intrusion set, on the other hand, is significant for the fact that it chiefly singled out Russia-aligned regions, including officers and individuals involved in elections. One of the surveillance targets had data from their USB drives exfiltrated.

Malwarebytes said it also identified a library in the Ukrainian city of Vinnytsia that was infected as part of the same campaign, making it the only Ukraine-related entity to be targeted. The motivations are presently unknown.

While the origins of the threat group are a mystery, it has emerged that the threat actors managed to infect their own Windows 10 machines at some point in December 2022, either accidentally or for testing purposes (given the name TstUser), offering an insight into their modus operandi.

Two things stand out: The choice of English as the default language and the use of Fahrenheit temperature scale to display the weather, likely suggesting the involvement of native English speakers.

"In this case, attributing the attack to a specific country is not an easy task," the researchers said. "Any of the involved countries or aligned groups could be responsible, as some victims were aligned with Russia, and others were aligned with Ukraine."

"What is clear is that the principal motive of the attack was surveillance and data gathering. The attackers used different layers of protection, had an extensive toolset for their victims, and the attack was clearly targeted at specific entities."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.