{ "id": "759a4b27-2cb7-423b-be9c-d38d72513bb1", "created_at": "2026-04-06T00:08:53.492899Z", "updated_at": "2026-04-10T13:11:50.404462Z", "deleted_at": null, "sha1_hash": "2afe139bf3ae8ed0df4ff63a07df4ea67ac59c34", "title": "Inception Framework: Alive and Well, and Hiding Behind Proxies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56516, "plain_text": "Inception Framework: Alive and Well, and Hiding Behind Proxies\r\nBy About the Author\r\nArchived: 2026-04-05 19:37:12 UTC\r\nThe cyber espionage group known as the Inception Framework has significantly developed its operations over the\r\npast three years, rolling out stealthy new tools and cleverly leveraging the cloud and the Internet of Things (IoT)\r\nin order to make its activities harder to detect.\r\nSince 2014, Symantec has found evidence of a steady stream of attacks from the Inception Framework targeted at\r\norganizations on several continents. As time has gone by, the group has become ever more secretive, hiding\r\nbehind an increasingly complex framework of proxies and cloud services.\r\nHistory of stealthy attacks\r\nThe Inception Framework has been active since at least May 2014 and its activities were first exposed by Blue\r\nCoat (now part of Symantec) in December 2014. Right from the start, the group stood out because of its use of an\r\nadvanced, highly automated framework to support its targeted attacks. This level of sophistication is rarely seen,\r\neven in the targeted attacks sphere. The nature of Inception’s targets, from 2014 right through to today, along with\r\nthe capabilities of its tools, indicate that espionage is the primary motive of this groups\r\nIn 2014, Inception was compromising targeted organizations using spear-phishing emails, which masqueraded as\r\nlegitimate emails concerning international policy, upcoming conferences, and specific sectoral interests of the\r\ntargeted organization.\r\nMore than half of the group’s earlier targets were in the Energy or Defense sectors, but it also targeted\r\norganizations in the Consultancy/Security, Aerospace, Research, and Media sectors, in addition to embassies. Its\r\nactivities ranged across the globe, with targets located in South Africa, Kenya, the United Kingdom, Malaysia,\r\nSuriname, along with several other European and Middle Eastern countries.\r\nWord documents attached to Inception’s spear-phishing emails leveraged two Microsoft Office vulnerabilities\r\n(CVE-2014-1761 and CVE-2012-0158) to install malware on the recipient’s computer. The malware had a multi-staged structure that began with a malicious RTF document and ended with an in-memory DLL payload that\r\ncommunicated, via the WebDAV protocol, with a command and control (C\u0026C) address from a legitimate cloud\r\nservice provider (CloudMe.com). The name “Inception” comes from the group’s many levels of obfuscation and\r\nindirection it employed in delivering this payload.\r\nFurther layers of obfuscation emerged when Blue Coat was able to determine that the attackers were\r\ncommunicating with CloudMe.com through a hacked network of compromised routers, the majority of which\r\nwere located in South Korea.\r\nStepping out of the shadows once again\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies\r\nPage 1 of 5\n\nFollowing its exposure in late 2014, Inception fell quiet. However, this turned out to be only a brief hiatus and, by\r\nApril 2015, there had been a resurgence in activity. Attacks have continued since then, right through to 2017.\r\nFigure 1. Inception Framework attacks 2015-2017\r\nFigure 1. Inception Framework attacks 2015-2017\r\nIn the intervening years, the Inception Framework has evolved, adding additional layers of obfuscation in a bid to\r\navoid detection. The group is using new types of lure documents in its spear-phishing campaigns and its malware\r\nhas expanded to use new types of plugins. Inception has also increased its use of the cloud, and diversified the\r\nrange of cloud providers it uses for C\u0026C purposes.\r\nFigure 2. Locations of organizations targeted by Inception, 2015-2017\r\nFigure 2. Locations of organizations targeted by Inception, 2015-2017\r\nThe locations of Inception’s targets have shifted since 2014, but the group continues to have a global reach. Russia\r\naccounted for the largest number of attacks between 2015 and 2017, followed by Ukraine, Moldova, Belgium,\r\nIran, and France.\r\nAn evolved attack framework\r\nSince 2014, the Inception Framework has steadily changed its tools and techniques. In its early attacks, the\r\ngroup’s malware payload (with the exception of plugins) was fully contained within an exploit document emailed\r\nto the victim. In more recent activity, these spear-phishing attacks are now a two-stage process. The group will\r\nfirst email the target a malicious “Reconnaissance document” which, if opened, will fingerprint the target\r\ncomputer, gathering information on what software it is running and whether that software is up to date.\r\nSeveral days later, Inception will send a second spear-phishing email to the target, with another malicious\r\ndocument attached. This document is designed to retrieve a remote RTF file, which contains the exploit, and open\r\nit on the target’s computer.\r\nShortly after this RTF document is opened, the remaining stages of the Inception malware are found executing on\r\nthe system. The loader DLL is responsible for decrypting and injecting the core payload DLL into memory, from\r\nan encrypted file present on disk. The core payload DLL's main function is to gather system information, execute\r\nother malware in the form of plugins, and update itself. It accesses C\u0026C via WebDAV hosted on legitimate cloud\r\nstorage providers.\r\nThe use of an initial reconnaissance document allows Inception to profile the target’s computer and potentially\r\ncustomize any subsequent malicious document to exploit known vulnerabilities in unpatched software on the\r\ncomputer.\r\nBy breaking its attacks up into distinct stages, Inception also makes them harder to detect. For investigators to\r\ntrace an attack, each stage will have be uncovered and referenced to the other stages.\r\nModular malware\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies\r\nPage 2 of 5\n\nInception’s malware is modular and the attackers will load plugins based on requirements for each attack. The\r\ngroup has used a range of plugins in recent attacks, some of which are improved versions of plugins used in 2014,\r\nwhile others were previously unseen.\r\nFile hunting plugin: The most frequently used plugin, similar to one used in 2014. Often used to collect\r\nOffice files from temporary internet history.\r\nDetailed survey plugin: Used to gather domain membership, processes/loaded modules, hardware\r\nenumeration, installed products, logical and mapped drive information. Evolution of earlier plugin used in\r\n2014.\r\nBrowser plugin: Used to steal browser history, stored passwords and sessions. Works with Internet\r\nExplorer, Chrome, Opera, Firefox, Torch, and Yandex.\r\nFile listing plugin: Works on local or remote drives and can map additional paths when given credentials.\r\nExpanding use of the cloud\r\nSince 2014, Inception has widened its use of cloud service providers for C\u0026C purposes. Whereas previously it\r\nrelied on one service provider (CloudMe.com), more recently it has employed a least five cloud service providers\r\nLeveraging the cloud for C\u0026C has a number of advantages for groups like Inception. Any C\u0026C communications\r\nwill involve encrypted traffic to a known website, meaning it is less likely to raise flags on targeted networks.\r\nLegitimate cloud services are not likely to be blacklisted.\r\nVarying the cloud service provider used adds a further degree of stealth. Once it became known Inception was\r\nusing a single provider, any traffic to that provider may have attracted additional scrutiny.\r\nSymantec has notified all cloud providers affected. Where possible Symantec has provided details on the C\u0026C\r\naccounts used by Inception to the affected cloud providers. The accounts in questions have been deleted or\r\ndisabled.\r\nUsing IoT to hide behind proxies\r\nInception is continuing to use chains of infected routers to act as proxies and mask communications between the\r\nattackers and the cloud service providers they use. Certain router manufacturers have UPnP listening on WAN as a\r\ndefault configuration. Akamai research has found that there are 765,000 devices vulnerable to this attack. These\r\nrouters are hijacked by Inception and configured to forward traffic from one port to another host on the internet.\r\nAbuse of this service requires no custom malware to be injected on the routers and can be used at scale very\r\neasily. Inception strings chains of these routers together to create multiple proxies to hide behind.\r\nEvery connection builds different chains of infected routers and once the connection is complete, it cleans up after\r\nitself. In several cases, Symantec has been able to follow the entire chain of compromised routers and found it led\r\nto a virtual private server (VPS), meaning the attackers have employed an additional layer of security by routing\r\ncommunications through rented hosting servers.\r\nInception Framework: Alive and Well, and Hiding Behind Proxies\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies\r\nPage 3 of 5\n\nMobile devices targeted\r\nInception has an ongoing interest in mobile devices and has previously developed malware to infect Android\r\n(Android.Lastacloud), iOS (IOS.Lastaccoud) and BlackBerry devices (BBOS.Lastacloud).\r\nMobile malware continues to be deployed and the group has made some modifications to its Android malware.\r\nThe malware is spread via SMS messages and emails containing malicious links. Once installed, it uses user\r\nprofile pages on online forums as dead drops for its C\u0026C.\r\nFigure 3. Malicious SMS message used by Inception to spread Android malware\r\nFigure 3. Malicious SMS message used by Inception to spread Android malware\r\nPersistence, stealth, and global reach\r\nEven prior to its discovery in 2014, Inception went to great lengths both to avoid detection and conceal its\r\nlocation. Exposure hasn’t deterred the group. Instead, it has redoubled its efforts, adding more layers of\r\nobfuscation to an already complex attack framework. Its persistence, stealth, and global reach mean the group\r\ncontinues to pose an ongoing risk to organizations, particularly in its areas of interest, which include defense,\r\naerospace, energy, governments, telecoms, media, and finance.\r\nAside from a suite of advanced modular malware, the group is notable for its ability to make use of new platforms\r\nsuch as the cloud, IoT, and mobile to facilitate its attacks. An “early adopter”, Inception’s tactics may point the\r\nway towards how other espionage groups may modify their methods in years to come.\r\nProtection\r\nSymantec has had protection for all of the Inception Framework tools since the initial emergence of the group in\r\n2014.  The following detections are in place today:\r\nFile-based protection\r\nInfostealer.Rodagose\r\nTrojan.Rodagose!g1\r\nTrojan.Rodagose!g2\r\nTrojan.MDropper\r\nMobile\r\nAndroid.Lastacloud\r\nBBOS.Lastacloud\r\nIOS.Lastacloud\r\nNetwork Protection Products\r\nMalware Analysis Appliance detects activity associated with Inception\r\nCustomers with Webpulse-enabled products are protected against activity associated with Inception\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies\r\nPage 4 of 5\n\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies" ], "report_names": [ "inception-framework-hiding-behind-proxies" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434133, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2afe139bf3ae8ed0df4ff63a07df4ea67ac59c34.pdf", "text": "https://archive.orkl.eu/2afe139bf3ae8ed0df4ff63a07df4ea67ac59c34.txt", "img": "https://archive.orkl.eu/2afe139bf3ae8ed0df4ff63a07df4ea67ac59c34.jpg" } }