Security researchers discovered attacks from advanced threat actors using a previously malicious framework.

Threat actors used a malicious framework named CommonMagic & also a new backdoor, PowerMagic.

Attackers aim to collect data, documents, and files from Cremia & more through these attacks.

The malware can also take screenshots every three seconds using the Windows Graphic Device Interface.

The initial infection is a phishing URL pointing to a ZIP archive with a malicious LNK file.

As per security analysts, the attackers created exclusive modules for the different tasks.

Malicious Common Magic has various elements that used a named pipe to interact.

The data exchange is also done through the OneDrive folder, and the files are then encrypted.