{
	"id": "6337c563-3c5b-4a6e-a809-c525852dc5ae",
	"created_at": "2026-04-06T00:12:40.467676Z",
	"updated_at": "2026-04-10T13:12:49.641043Z",
	"deleted_at": null,
	"sha1_hash": "130a9526604c2725c6cf61dde67d007cb7be7764",
	"title": "Cloud Atlas Group Updates Infection Chain With Polymorphic Malware to Evade Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 165278,
	"plain_text": "Cloud Atlas Group Updates Infection Chain With Polymorphic\r\nMalware to Evade Detection\r\nArchived: 2026-04-05 21:14:55 UTC\r\nA malware campaign that uses a polymorphic HTML\r\napplication (HTA) and a polymorphic backdoor to evade detection has recently been observed by security\r\nresearchers. As reported by researchers at Kaspersky, the campaign can be traced to the advanced persistent threat\r\n(APT) group Cloud Atlas (aka Inception), whose activities were first reported in 2014 and have recently been\r\nidentified in relation to attacks on various organizations in Russia, Central Asia, Europe, and Portugal.\r\nAs in its previous iteration, the routine used by Cloud Atlas begins with phishing emails to high-value targets.\r\nThese emails have Microsoft Office document attachments that contain malicious remote templates, which are\r\nloaded from remote servers. This technique allows the documents to bypass static analysis and makes forensic\r\nanalysis difficult if the servers hosting the templates are down.\r\nIn Cloud Atlas’ updated infection chain, the templates, when downloaded, deliver and execute a malicious HTA\r\nthat, in turn, drops and executes a VBScript module named VBShower, which is a polymorphic backdoor.\r\nVBShower deletes traces of infection from the machine to further complicate forensics and establishes the\r\ncommunication between the infected machine and the command-and-control (C\u0026C) server.\r\n[Read: Risks under the radar: Understanding fileless threatsnews article]\r\nVBShower delivers Cloud Atlas’ second-stage payload, a backdoor that uses WebDAV to communicate with a\r\ncloud storage service. More notably, VBShower also delivers a PowerShellnews article-based implant\r\nnamed PowerShower, which is the main payload in Cloud Atlas’s previous routine. PowerShower deploys several\r\nmodules. These include a PowerShell stealer that exfiltrates documents that are smaller than 5 MB and have been\r\nmodified in the last two days, a reconnaissance module that retrieves a list of active processes and other system\r\ninformation, and a password grabber, based on the open-source tool LaZagne, that collects credentials stored in\r\nthe infected system.\r\nBoth the HTA and VBShower are polymorphic, that is, they modify their attributes so as to avoid detection by\r\nsecurity solutions. In particular, the updated infection chain’s polymorphism allows Cloud Atlas to evade analysis\r\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/cloud-atlas-group-updates-infection-chain-with-polymorphic-malware-to-evade-detection\r\nPage 1 of 3\n\nbased on indicators of compromise (IOCs), since the code in both modules will be unique for every infected\r\nmachine.\r\nPolymorphism and PowerShell abuse for malware propagation and infection are not new. Threat actors have\r\nbeen abusing new scripting languages, for example, to make it difficult for enterprise IT teams to seek, monitor,\r\nand defend against these threats. Trend Micro researchers have been tracking such evasion and infection\r\ntechniques.\r\n [Read: Security 101: Defending against fileless malwarenews article]\r\nInfections such as those carried out by Cloud Atlas’ updated routine not only pose threats to users whose\r\ncredentials and information are compromised. They also give malicious actors access even after the initial\r\ninfection phase, with the backdoor components enabling them to perform more serious attacks.\r\nHere are some best practices for users and enterprises to follow so as to defend their systems against these threats:\r\nUpdate and install the latest patches released. Legacy systems can use virtual patches released by security\r\nvendors to protect unsupported systems.\r\nBe wary of emails from unknown senders or locations, or messages with suspicious contentnews-cybercrime-and-digital-threats even from supposed known senders.\r\nDisable unnecessary and outdated components, and proactively monitor systems and networks for unusual\r\nactivities and increased outbound traffic.\r\nInstall a multilayered protection system capable of behavior monitoring to detect and block anomalies from\r\nmalware infection and software modifications, from the gateway to the endpoint.\r\nTrend Micro solutions\r\nTrend Micro's Smart Protection Suites deliver several capabilities like high-fidelity machine learning and web\r\nreputation services that minimize the impact of persistent, fileless threats. The Trend Micro™ Deep\r\nDiscovery™ solution has a layer for email inspectionproducts that can protect enterprises by detecting malicious\r\nattachments and URLs. It can detect remote scripts even if they are not being downloaded on the physical\r\nendpoints.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/cloud-atlas-group-updates-infection-chain-with-polymorphic-malware-to-evade-detection\r\nPage 2 of 3\n\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/cloud-atlas-group-updates-infection-chain-with\r\n-polymorphic-malware-to-evade-detection\r\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/cloud-atlas-group-updates-infection-chain-with-polymorphic-malware-to-evade-detection\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/cloud-atlas-group-updates-infection-chain-with-polymorphic-malware-to-evade-detection"
	],
	"report_names": [
		"cloud-atlas-group-updates-infection-chain-with-polymorphic-malware-to-evade-detection"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "04a7ebaa-ebb1-4971-b513-a0c86886d932",
			"created_at": "2023-01-06T13:46:38.784965Z",
			"updated_at": "2026-04-10T02:00:03.099088Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"ATK116",
				"Blue Odin"
			],
			"source_name": "MISPGALAXY:Inception Framework",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "02c9f3f6-5d10-456b-9e63-750286048149",
			"created_at": "2022-10-25T16:07:23.722884Z",
			"updated_at": "2026-04-10T02:00:04.72726Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"ATK 116",
				"Blue Odin",
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"Inception Framework",
				"Operation Cloud Atlas",
				"Operation RedOctober",
				"The Rocra"
			],
			"source_name": "ETDA:Inception Framework",
			"tools": [
				"Lastacloud",
				"PowerShower",
				"VBShower"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434360,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/130a9526604c2725c6cf61dde67d007cb7be7764.pdf",
		"text": "https://archive.orkl.eu/130a9526604c2725c6cf61dde67d007cb7be7764.txt",
		"img": "https://archive.orkl.eu/130a9526604c2725c6cf61dde67d007cb7be7764.jpg"
	}
}