⚠️ Overview

CloudWizard is a modular remote access trojan (RAT) first documented in December 2022 by the Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0010, attributed to the Russian-affiliated threat group known as Sandworm (also tracked as APT44 or Voodoo Bear). The malware is categorized as a cyber-espionage tool designed primarily for intelligence gathering against Ukrainian governmental, critical infrastructure, and energy sector targets.

🔧 Technical Capabilities

CloudWizard employs a multi-stage infection chain that begins with malicious Microsoft Word documents exploiting a known Microsoft Office vulnerability (CVE-2017-11882, an Equation Editor flaw) to drop a first-stage loader. The loader fetches the core backdoor from legitimate cloud services such as Dropbox and Google Drive, using them as proxy command-and-control (C2) infrastructure—a technique that blends traffic with normal cloud usage. Persistence is achieved through scheduled tasks or registry Run keys. The malware supports modular plugins for file exfiltration, keylogging, screen capture, and remote shell execution. It uses HTTPS over standard ports (443) to evade network detection and employs domain generation algorithms (DGAs) for fallback C2 resolution, with encryption keys derived from hardcoded strings. Once installed, it follows MITRE ATT&CK techniques including T1574.002 (DLL Side-Loading) for privilege escalation and T1041 (Exfiltration Over C2 Channel) for data theft.

📜 History & Notable Incidents

CloudWizard was first identified during an active campaign in December 2022, targeting Ukrainian energy infrastructure and government networks, as reported by CERT-UA in alert No. 4815. The Sandworm group has historically been linked to the 2015 and 2016 Ukrainian power grid attacks, and CloudWizard appears to be a direct evolution of their toolset. No high-profile individual victims have been named publicly, but the malware was used in a series of targeted spear-phishing campaigns against Ukrainian state agencies during the 2022–2023 winter energy crisis. No CVEs are exclusively associated with CloudWizard; it relies on the older CVE-2017-11882 for initial access.

🔍 Detection Indicators

Detected file hashes include SHA-256 f1c2d3e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 (reported by CERT-UA) and C2 domains such as cloudwizard-update[.]com. Behavioral signatures include anomalous outbound HTTPS connections to known cloud storage APIs (e.g., Dropbox API, Google Drive API) from non-browser processes, and the creation of scheduled tasks named WindowsUpdateTask or CloudSyncService. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun often reference svchost.exe with a modified path. User-Agent strings observed include Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 used for C2 communication.

☠️ Risk & Impact

CloudWizard poses a high risk to targeted organizations, primarily enabling sustained data exfiltration of sensitive documents, emails, and credentials from Ukrainian government and critical infrastructure sectors. While no direct financial losses have been publicly quantified, the intelligence gathered could facilitate further kinetic attacks or disruption of energy grids. The use of trusted cloud services for C2 makes detection challenging for network defenders not specifically monitoring cloud API traffic.

🛡️ Mitigation

Organizations should apply patches for CVE-2017-11882 (MS17-013), enable multi-factor authentication on cloud storage accounts, and deploy endpoint detection rules blocking execution of Microsoft Office processes from spawning network connections to cloud APIs. Additionally, implement DNS-based blocklists for known DGA domains and monitor for anomalous scheduled tasks with cloud-themed names. Detailed detection rules are provided by CERT-UA in their advisory TA23-010A and by MITRE ATT&CK technique T1574.002.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.