{
	"id": "afda8ea4-6cbf-4783-b464-81fe31c66c05",
	"created_at": "2026-04-06T00:10:28.954941Z",
	"updated_at": "2026-04-10T13:12:47.943913Z",
	"deleted_at": null,
	"sha1_hash": "16f1c9196722143687b6830fcc4a2920057c544c",
	"title": "Recent Cloud Atlas activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 389012,
	"plain_text": "Recent Cloud Atlas activity\r\nBy GReAT\r\nPublished: 2019-08-12 · Archived: 2026-04-02 11:08:47 UTC\r\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting\r\nindustries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities\r\never since.\r\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to\r\nthis threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\r\nCountries targeted by Cloud Atlas recently\r\nCloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective\r\nexisting tactics and malware in order to compromise high value targets.\r\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims.\r\nThese emails are crafted with Office documents that use malicious remote templates – allowlisted per victims –\r\nhosted on remote servers. We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at\r\nPalo Alto Networks also wrote about it in November 2018.\r\nPreviously, Cloud Atlas dropped its “validator” implant named “PowerShower” directly, after exploiting the\r\nMicrosoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have\r\nseen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at\r\nexecuting PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed five years ago in\r\nour first blogpost about them and which remains unchanged.\r\nhttps://securelist.com/recent-cloud-atlas-activity/92016/\r\nPage 1 of 4\n\nLet’s meet PowerShower\r\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious\r\npiece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This\r\nmalware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The\r\ndifferences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\r\nThe PowerShower backdoor – even in its later developments – takes three commands:\r\nCommand Description\r\n0x80 (Ascii\r\n“P”)\r\nIt is the first byte of the magic PK. The implant will save the received content as a ZIP\r\narchive under %TEMP%\\PG.zip.\r\n0x79 (Ascii\r\n“O”)\r\nIt is the first byte of “On resume error”. The implant saves the received content as a VBS\r\nscript under “%APPDATA%\\Microsoft\\Word\\[A-Za-z]{4}.vbs” and executes it by using\r\nWscript.exe\r\nDefault\r\nIf the first byte doesn’t match 0x80 or 0x79, the content is saved as an XML file under\r\n“%TEMP%\\temp.xml”. After that, the script loads the content of the file, parses the XML to\r\nget the PowerShell commands to execute, decodes them from Base64 and invokes IEX.\r\nAfter executing the commands, the script deletes “%TEMP%\\temp.xml” and sends the\r\ncontent of “%TEMP%\\pass.txt” to the C2 via an HTTP POST request.\r\nA few modules deployed by PowerShower have been seen in the wild, such as:\r\nA PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and\r\nexfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\r\nA reconnaissance module which retrieves a list of the active processes, the current user and the current\r\nWindows domain. Interestingly, this feature is present in PowerShower but the condition leading to the\r\nexecution of that feature is never met in the recent versions of PowerShower;\r\nA password stealer module which uses the opensource tool LaZagne to retrieve passwords from the\r\ninfected system.\r\nhttps://securelist.com/recent-cloud-atlas-activity/92016/\r\nPage 2 of 4\n\nWe haven’t yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by\r\nPowerShower is a dropper of the group’s second stage backdoor documented in our article back in 2014.\r\nAnd his new friend, VBShower\r\nDuring its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on\r\nPowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used\r\nto drop three different files on the local system.\r\nA backdoor that we name VBShower which is polymorphic and replaces PowerShower as a validator;\r\nA tiny launcher for VBShower ;\r\nA file computed by the HTA which contains contextual data such as the current user, domain, computer\r\nname and a list of active processes.\r\nThis “polymorphic” infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique\r\nby victim so it can’t be searched via file hash on the host.\r\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to\r\ncomplicate forensic analysis by trying to delete all the files contained in “%APPDATA%\\..\\Local\\Temporary\r\nInternet Files\\Content.Word” and “%APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\”.\r\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file\r\ncomputed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote\r\nhttps://securelist.com/recent-cloud-atlas-activity/92016/\r\nPage 3 of 4\n\nserver every hour.\r\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is\r\nan installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular\r\nbackdoor which communicates to a cloud storage service via Webdav.\r\nFinal words\r\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor’s massive spear-phishing\r\ncampaigns continue to use its simple but effective methods in order to compromise its targets.\r\nUnlike many other intrusion sets, Cloud Atlas hasn’t chosen to use open source implants during its recent\r\ncampaigns, in order to be less discriminating. More interestingly, this intrusion set hasn’t changed its modular\r\nbackdoor, even five years after its discovery.\r\nIoCs\r\nSome emails used by the attackers\r\ninfocentre.gov@mail.ru\r\nmiddleeasteye@asia.com\r\nsimbf2019@mail.ru\r\nworld_overview@politician.com\r\ninfocentre.gov@bk.ru\r\nVBShower registry persistence\r\nKey : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[a-f0-9A-F]{8}\r\nValue : wscript //B “%APPDATA%\\[A-Za-z]{5}.vbs”\r\nVBShower paths\r\n%APPDATA%\\[A-Za-z]{5}.vbs.dat\r\n%APPDATA%\\[A-Za-z]{5}.vbs\r\n%APPDATA%\\[A-Za-z]{5}.mds\r\nVBShower C2s\r\n176.31.59.232\r\n144.217.174.57\r\nSource: https://securelist.com/recent-cloud-atlas-activity/92016/\r\nhttps://securelist.com/recent-cloud-atlas-activity/92016/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/recent-cloud-atlas-activity/92016/"
	],
	"report_names": [
		"92016"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "04a7ebaa-ebb1-4971-b513-a0c86886d932",
			"created_at": "2023-01-06T13:46:38.784965Z",
			"updated_at": "2026-04-10T02:00:03.099088Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"ATK116",
				"Blue Odin"
			],
			"source_name": "MISPGALAXY:Inception Framework",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "02c9f3f6-5d10-456b-9e63-750286048149",
			"created_at": "2022-10-25T16:07:23.722884Z",
			"updated_at": "2026-04-10T02:00:04.72726Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"ATK 116",
				"Blue Odin",
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"Inception Framework",
				"Operation Cloud Atlas",
				"Operation RedOctober",
				"The Rocra"
			],
			"source_name": "ETDA:Inception Framework",
			"tools": [
				"Lastacloud",
				"PowerShower",
				"VBShower"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434228,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16f1c9196722143687b6830fcc4a2920057c544c.pdf",
		"text": "https://archive.orkl.eu/16f1c9196722143687b6830fcc4a2920057c544c.txt",
		"img": "https://archive.orkl.eu/16f1c9196722143687b6830fcc4a2920057c544c.jpg"
	}
}