Uncovering RedStinger – Undetected APT cyber operations in Eastern Europe since 2020

Red Stinger is an Eastern Europe–focused APT active since 2020, tracked publicly by Malwarebytes and Kaspersky under different aliases, with campaigns targeting Ukraine’s military, transportation, and critical infrastructure. The operation used a repeatable infection chain (MSI/VBS/DBoxShell) and cloud-based exfiltration (Dropbox/OneDrive) across multiple campaigns, including referendums, revealing detailed IOCs and victimology. #RedStinger #DBoxShell

Keypoints

Red Stinger is an Eastern Europe–focused threat actor active since 2020, targeting Ukraine and its infrastructure with multiple campaigns.

The group uses a repeatable infection chain involving MSI installers downloaded from remote URLs, followed by VBScript/Powershell components and a loader (DBoxShell) to deploy payloads.

OP#4 (Feb 2022) and OP#5 (Sept 2022) include use of cloud storage-based C2/Exfil with Dropbox and GraphShell (OneDrive), plus tunneling via ngrok.

Victimology spans military, transportation, and critical infrastructure, with surveillance areas including referendums and election-related entities in the Donetsk/Luhansk regions.

Artifacts dropped include SolarTools, vs_secpack, and Ntuser.dat with XORed/AES-encrypted content, revealing a complex multi-stage loader and data-exfiltration workflow.

OP#5 shows GraphShell reconnaissance structures and a shift to GraphShell-based operations, linking multiple campaigns to the same actor and infrastructure patterns.

MITRE Techniques

[T1204] User Execution – Malicious File – The attackers used a .lnk file that downloads an MSI file from the url hxxp://91.234.33.108/u3/ebe9c1f5e5011f667ef8990bf22a38f7/document.msi. “This .lnk file will download an MSI file from the url …/document.msi.”
[T1059] Command and Scripting Interpreter – The attackers rely on script-based payloads; a Powershell script is described as executing components. “Powershell snippet run in OP#2” and “This command is a powershell script with 32 lines, which executes SolarTools/ngrok.exe.”
[T1059.007] VBScript – The infection chain includes a .vbs file that performs further actions, e.g., “the iesync.vbs file will apply a XOR operation to iesync.so.”
[T1055] Process Injection – Process Hollowing/Process Injection used to load and inject malicious components, as noted in “Process Hollowing technique was used to perform injections in OP#4.”
[T1027] Obfuscated/Compressed Files and Information – The artifacts show XOR encoding and AES encryption for configuration data, with Ntuser.dat containing XORed PE files and AES-encrypted config: “these executables are xored, each one with a different value” and “The configuration was encrypted using AES.”
[T1567.002] Exfiltration to Cloud Storage – Exfiltration and C2 leverage cloud storage; “This Dropbox account will be used to gather exfiltrated victims data.”

Indicators of Compromise

[Host] 91.234.33.185 – OP#1 (MSI delivery host)
[LNK] 41589c4e712690af11f6d12efc6cca2d584a53142782e5f2c677b4e980fae5bd – OP#1
[MSI] C68ce59f73c3d5546d500a296922d955ccc57c82b16ce4bd245ca93de3e32366 – OP#1
[DLL] 9e73dacedf847410dd4a0caa6aac83d31f848768336514335d4872d0fde28202 – OP#1
[DLL] B6491d99d7193499a320bf6ad638146193af2ced6128afe8af3666a828f1b900 – OP#1
[Host] 91.234.33.108 – OP#2
[ZIP] 301e819008e19b9803ad8b75ecede9ecfa5b11a3ecd8df0316914588b95371c8 – OP#2
[LNK] D956f2bf75d2fe9bf0d7c319b22a834976f1786b09ff1bba0d2e26c771b19ca2 – OP#2
[DLL] 9a6d4ac64fa6645c58a19b8c8795a8cb586b82f6a77aaf8f06eb83ba1f1390e8 – OP#2
[SHA256] 2643B38BDAD89168BAEA4226DD6496B91ED283330B2C5D8CA134BEFA796E0F34 – OP#2
[Host] 185.230.90.163 – OP#3
[SHA256] Ce9af73be2981c874b37b767873fa4d47219810e2672bf7e0b5af8c865448069 – OP#4
[ZIP] 961c52567232c1f98c04b1e605c34b0309ff280afe01e1a31384589e30eccf05 – OP#5
[LNK] Fb48b9102388620bb02d1a47297ba101f755632f9a421d09e9ab419cbeb65db8 – OP#5
[MSI] 9c16cf1f962bf736e3d6fb9ec3a37bb6f92c5f6cb1886d4332694ccc94735de8 – OP#5