{ "id": "a88bc5e8-a093-4d3e-9a6f-c94eebde7f57", "created_at": "2026-04-06T00:17:53.971028Z", "updated_at": "2026-04-10T03:36:27.410273Z", "deleted_at": null, "sha1_hash": "133eb9de93088e6586da2a8b50b363ddffef0111", "title": "Cyber-espionage group Cloud Atlas targets Russian companies with war-related phishing attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77735, "plain_text": "Cyber-espionage group Cloud Atlas targets Russian companies\r\nwith war-related phishing attacks\r\nBy Daryna Antoniuk\r\nPublished: 2023-12-21 · Archived: 2026-04-05 17:27:25 UTC\r\nThe hacker group known as Cloud Atlas targeted a Russian agro-industrial enterprise and a state-owned research\r\ncompany in a new espionage campaign, researchers have found.\r\nCloud Atlas is a state-backed threat actor, active since at least 2014, that mostly attacks organizations in Russia,\r\nBelarus, Azerbaijan, Turkey, and Slovenia.\r\nIn its new campaign, the hackers sent their victims phishing emails with malicious attachments — the tactic they\r\nwere seen using in previous attacks, according to the Russian cybersecurity firm F.A.C.C.T., an offshoot of the\r\nSingapore-based cybersecurity firm Group IB.\r\nThe researchers said that two attacks they detected were successfully blocked. In the report released earlier this\r\nweek, F.A.C.C.T. published examples of two phishing letters discovered while analyzing the attacks.\r\nThe first email offered to send postcards to soldiers fighting in the war in Ukraine and their family members. Both\r\nthe report and the malicious emails referred to the war as “SVO” (special military operation), a term used by the\r\nKremlin to describe its invasion of Ukraine. The second email was related to changes in the law regarding military\r\nreserves.\r\nBoth letters were sent from email addresses registered on popular Russian email services — yandex.ru and\r\nmail.ru.\r\nThe emails contained malicious attachments that, once opened, uploaded files with an exploit for the vulnerability\r\nknown as CVE-2017-11882. This is a vulnerability in Microsoft Office that was fixed back in 2017 but is still\r\nactively exploited.\r\nSuccessful exploitation of this bug allows attackers to execute arbitrary code with the privileges of the user who\r\nopened the malicious file. Thus, if the victim has administrator rights, the attacker will be able to take full control\r\nof their system — install programs, view, modify, or destroy data, and even create new accounts, said researchers\r\nat Moscow-based Kaspersky.\r\nLast December, researchers at Check Point published a report saying that Cloud Atlas ramped up activities\r\ntargeting “high profile victims” in Russia, Belarus, Transnistria (a pro-Kremlin breakaway region of Moldova),\r\nand Russian-annexed territories of Ukraine, including Crimea, Luhansk, and Donetsk.\r\nCloud Atlas focuses on espionage and theft of confidential information, but it isn’t clear what country sponsors the\r\ngroup.\r\nhttps://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing\r\nPage 1 of 3\n\nThe hackers typically use phishing emails with malicious attachments to gain initial access to a victim’s computer.\r\nThese documents are carefully crafted to mimic government statements, media articles, business proposals, or\r\nadvertisements, researchers said.\r\nThe attackers closely control who can access their malicious attachments by whitelisting the targets. To collect the\r\nIP information of the victims, Cloud Atlas first sent them reconnaissance documents, which do not contain any\r\nmalicious files aside from fingerprinting the victim, according to Check Point.\r\nNo previous article\r\nNo new articles\r\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nhttps://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing\r\nPage 2 of 3\n\nSource: https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing\r\nhttps://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing" ], "report_names": [ "cloud-atlas-targets-russian-orgs-war-phishing" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434673, "ts_updated_at": 1775792187, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/133eb9de93088e6586da2a8b50b363ddffef0111.pdf", "text": "https://archive.orkl.eu/133eb9de93088e6586da2a8b50b363ddffef0111.txt", "img": "https://archive.orkl.eu/133eb9de93088e6586da2a8b50b363ddffef0111.jpg" } }