{
	"id": "33d87721-8c9e-4989-92f8-7676603dcecf",
	"created_at": "2026-04-06T00:11:01.628131Z",
	"updated_at": "2026-04-10T13:12:27.040832Z",
	"deleted_at": null,
	"sha1_hash": "901a39e85d9ca97e377dcb777ecd1837d8cd99e6",
	"title": "Inception Framework, Cloud Atlas - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80625,
	"plain_text": "Inception Framework, Cloud Atlas - Threat Group Cards: A\r\nThreat Actor Encyclopedia\r\nArchived: 2026-04-05 19:03:11 UTC\r\nHome \u003e List all groups \u003e Inception Framework, Cloud Atlas\r\n APT group: Inception Framework, Cloud Atlas\r\nNames\r\nInception Framework (Symantec)\r\nCloud Atlas (Kaspersky)\r\nOxygen (Microsoft)\r\nATK 116 (Thales)\r\nBlue Odin (PWC)\r\nThe Rocra (?)\r\nClean Ursa (Palo Alto)\r\nG0100 (MITRE)\r\nCountry Russia\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7849ff33-1be0-4715-89b1-3adcb182561a\r\nPage 1 of 4\n\nDescription\r\n(Symantec) Researchers from Blue Coat Labs have identified the emergence of a\r\npreviously undocumented attack framework that is being used to launch highly\r\ntargeted attacks in order to gain access to, and extract confidential information from,\r\nvictims’ computers. Because of the many layers used in the design of the malware,\r\nwe’ve named it Inception—a reference to the 2010 movie “Inception” about a thief\r\nwho entered peoples’ dreams and stole secrets from their subconscious. Targets\r\ninclude individuals in strategic positions: Executives in important businesses such as\r\noil, finance and engineering, military officers, embassy personnel and government\r\nofficials. The Inception attacks began by focusing on targets primarily located in\r\nRussia or related to Russian interests, but have since spread to targets in other\r\nlocations around the world. The preferred malware delivery method is via phishing\r\nemails containing trojanized documents.\r\n• Initially targeted at Russia, but expanding globally\r\n• Masterful identity cloaking and diversionary tactics\r\n• Clean and elegant code suggesting strong backing and top-tier talent\r\n• Includes malware targeting mobile devices: Android, Blackberry and iOS\r\n• Using a free cloud hosting service based in Sweden for command and control\r\nObserved\r\nSectors: Aerospace, Defense, Embassies, Energy, Engineering, Financial,\r\nGovernment, Oil and gas, Research.\r\nCountries: Afghanistan, Armenia, Austria, Azerbaijan, Belarus, Belgium, Brazil,\r\nCongo, Cyprus, France, Georgia, Germany, Greece, India, Indonesia, Iran, Italy,\r\nJordan, Kazakhstan, Kenya, Kyrgyzstan, Lebanon, Lithuania, Malaysia, Moldova,\r\nMorocco, Mozambique, Oman, Pakistan, Paraguay, Portugal, Qatar, Romania,\r\nRussia, Saudi Arabia, Slovenia, South Africa, Suriname, Switzerland, Tajikistan,\r\nTanzania, Turkey, Turkmenistan, Uganda, Ukraine, UAE, USA, Uzbekistan,\r\nVenezuela, Vietnam.\r\nTools used Inception, Lastacloud, PowerShower, VBShower and many 0-day exploits.\r\nOperations performed\r\nOct 2012\r\nOperation “RedOctober”\r\nIn October 2012, Kaspersky Lab’s Global Research \u0026 Analysis Team\r\ninitiated a new threat research after a series of attacks against\r\ncomputer networks of various international diplomatic service\r\nagencies. A large scale cyber-espionage network was revealed and\r\nanalyzed during the investigation, which we called “Red October”\r\n(after famous novel “The Hunt For The Red October”).\r\n\u003chttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\u003e\r\nMay 2014 Hiding Behind Proxies\r\nSince 2014, Symantec has found evidence of a steady stream of\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7849ff33-1be0-4715-89b1-3adcb182561a\r\nPage 2 of 4\n\nattacks from the Inception Framework targeted at organizations on\nseveral continents. As time has gone by, the group has become ever\nmore secretive, hiding behind an increasingly complex framework of\nproxies and cloud services.\nAug 2014\nOperation “Cloud Atlas”\nIn August 2014, some of our users observed targeted attacks with a\nvariation of CVE-2012-0158 and an unusual set of malware. We did a\nquick analysis of the malware and it immediately stood out because of\ncertain unusual things that are not very common in the APT world.\nOct 2018\nThis blog describes attacks against European targets observed in\nOctober 2018, using CVE-2017-11882 and a new PowerShell\nbackdoor we’re calling POWERSHOWER due to the attention to\ndetail in terms of cleaning up after itself, along with the malware\nbeing written in PowerShell.\n2019\nDuring its recent campaigns, Cloud Atlas used a new “polymorphic”\ninfection chain relying no more on PowerShower directly after\ninfection, but executing a polymorphic HTA hosted on a remote\nserver, which is used to drop three different files on the local system.\nFeb 2022\nCloud Atlas targets entities in Russia and Belarus amid the ongoing\nwar in Ukraine\nDec 2023\nCyber-espionage group Cloud Atlas targets Russian companies with\nwar-related phishing attacks\n2024\nCloud Atlas seen using a new tool in its attacks\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7849ff33-1be0-4715-89b1-3adcb182561a\nPage 3 of 4\n\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7849ff33-1be0-4715-89b1-3adcb182561a\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7849ff33-1be0-4715-89b1-3adcb182561a\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7849ff33-1be0-4715-89b1-3adcb182561a"
	],
	"report_names": [
		"showcard.cgi?u=7849ff33-1be0-4715-89b1-3adcb182561a"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "04a7ebaa-ebb1-4971-b513-a0c86886d932",
			"created_at": "2023-01-06T13:46:38.784965Z",
			"updated_at": "2026-04-10T02:00:03.099088Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"ATK116",
				"Blue Odin"
			],
			"source_name": "MISPGALAXY:Inception Framework",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "02c9f3f6-5d10-456b-9e63-750286048149",
			"created_at": "2022-10-25T16:07:23.722884Z",
			"updated_at": "2026-04-10T02:00:04.72726Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"ATK 116",
				"Blue Odin",
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"Inception Framework",
				"Operation Cloud Atlas",
				"Operation RedOctober",
				"The Rocra"
			],
			"source_name": "ETDA:Inception Framework",
			"tools": [
				"Lastacloud",
				"PowerShower",
				"VBShower"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434261,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/901a39e85d9ca97e377dcb777ecd1837d8cd99e6.pdf",
		"text": "https://archive.orkl.eu/901a39e85d9ca97e377dcb777ecd1837d8cd99e6.txt",
		"img": "https://archive.orkl.eu/901a39e85d9ca97e377dcb777ecd1837d8cd99e6.jpg"
	}
}