The ongoing war between Russia and Ukraine has led to government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea being attacked as part of an active campaign that drops a previously unseen, modular framework dubbed CommonMagic. "Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods," Kaspersky said in a new report. The Russian cybersecurity company, which detected the attacks in October 2022, is tracking the activity cluster under the name "Bad Magic." Attack chains entail the use of booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic. Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands, the results of which are exfiltrated to cloud services like Dropbox and Microsoft OneDrive. PowerMagic also serves as a conduit to deliver the CommonMagic framework, a set of executable modules that are designed to carry out specific tasks such as interacting with the command-and-control (C2) server, encrypting and decrypting C2 traffic, and executing plugins. Two of the plugins discovered so far come with capabilities to capture screenshots every three seconds and gather files of interest from connected USB devices. CommonMagic is a previously unseen, modular framework that has been used in attacks against government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea. The attacks have been detected by the Russian cybersecurity company Kaspersky, which has given the activity cluster the name "Bad Magic." The initial vector of compromise is unclear, but it is thought that spear phishing or similar methods were used. Booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server are used in the attack chain. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic. PowerMagic, written in PowerShell, establishes contact with a remote server and executes arbitrary commands. The results are then exfiltrated to cloud services like Dropbox and Microsoft OneDrive. PowerMagic also serves as a conduit to deliver the CommonMagic framework. Theframework consists of a set of executable modules that are designed to carry out specific tasks, such as interacting with the command-and-control (C2) server, encrypting and decrypting C2 traffic, and executing plugins. Two of the plugins discovered so far come with capabilities to capture screenshots every three seconds and gather files of interest from connected USB devices.