top of page

Red Stinger: Previously Undetected APT Actor Linked to Eastern European Attacks

A new threat actor, dubbed Red Stinger, has been linked to attacks targeting Eastern Europe since 2020. This APT group has been observed to target military, transportation, and critical infrastructure entities, as well as some involved in the September East Ukraine referendums. Malwarebytes has disclosed these findings in a report published today. Depending on the campaign, the attackers have been able to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings. Red Stinger overlaps with a threat cluster Kaspersky revealed under the name Bad Magic last month. This group has been targeting government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea last year. While there were indications that the APT group may have been active since at least September 2021, the latest findings from Malwarebytes push the group's origins back by nearly a year, with the first operation taking place in December 2020. The attack chain, at the time, is said to have leveraged malicious installer files to drop the DBoxShell (aka PowerMagic) implant on compromised systems. The MSI file, for its part, is downloaded by means of a Windows shortcut file contained within a ZIP archive. Subsequent waves detected in April and September 2021 have been observed to leverage similar attack chains, albeit with minor variations in the MSI file names.


bottom of page