{
	"id": "a7bd8d3f-976a-41d6-a38d-65e6986f2456",
	"created_at": "2026-04-06T00:06:55.116545Z",
	"updated_at": "2026-04-10T13:11:33.807052Z",
	"deleted_at": null,
	"sha1_hash": "4702e466e9e166bff81e51076f02d16a13367037",
	"title": "CLOUDBURST (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31075,
	"plain_text": "CLOUDBURST (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:23:46 UTC\r\nCLOUDBURST aka NickelLoader is an HTTP(S) downloader.\r\nIt recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively:\r\neknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via\r\nthe MemoryModule implementation, or as a shellcode.\r\nIt uses AES for encryption and decryption of network traffic. It usually sends the following information back to its\r\nC\u0026C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded\r\nparameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).\r\nThe CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary\r\nPresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for\r\nNotepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized\r\nplugin project as well (usually NppyPlugin by Jari Pennanen).\r\nThe CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a\r\nnetwork running Microsoft Intune software in Q2-Q3 2022.\r\n[TLP:WHITE] win_cloudburst_auto (20251219 | Detects win.cloudburst.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst"
	],
	"report_names": [
		"win.cloudburst"
	],
	"threat_actors": [],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4702e466e9e166bff81e51076f02d16a13367037.pdf",
		"text": "https://archive.orkl.eu/4702e466e9e166bff81e51076f02d16a13367037.txt",
		"img": "https://archive.orkl.eu/4702e466e9e166bff81e51076f02d16a13367037.jpg"
	}
}