{
	"id": "5c53de55-280f-4516-b95f-8f7c96e3cdb8",
	"created_at": "2026-04-06T00:22:28.855769Z",
	"updated_at": "2026-04-10T03:29:59.11846Z",
	"deleted_at": null,
	"sha1_hash": "c5caea7633459cc8f79d3be582902c9d4c6fd6a9",
	"title": "CloudSorcerer – A new APT targeting Russian government entities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 570350,
	"plain_text": "CloudSorcerer – A new APT targeting Russian government entities\r\nBy GReAT\r\nPublished: 2024-07-08 · Archived: 2026-04-05 13:05:44 UTC\r\nIn May 2024, we discovered a new advanced persistent threat (APT) targeting Russian government entities that\r\nwe dubbed CloudSorcerer. It’s a sophisticated cyberespionage tool used for stealth monitoring, data collection,\r\nand exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. The malware leverages\r\ncloud resources as its command and control (C2) servers, accessing them through APIs using authentication\r\ntokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.\r\nCloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT that we reported on in 2023. However,\r\nthe malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar\r\nmethod of interacting with public cloud services.\r\nOur findings in a nutshell:\r\nCloudSorcerer APT uses public cloud services as its main C2s\r\nThe malware interacts with the C2 using special commands and decodes them using a hardcoded charcode\r\ntable.\r\nThe actor uses Microsoft COM object interfaces to perform malicious operations.\r\nCloudSorcerer acts as separate modules (communication module, data collection module) depending on\r\nwhich process it’s running, but executes from a single executable.\r\nTechnical details\r\nInitial start up\r\nMD5 f701fc79578a12513c369d4e36c57224\r\nSHA1 f1a93d185d7cd060e63d16c50e51f4921dd43723\r\nSHA256 e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de\r\nLink time N/A\r\nCompiler N/A\r\nFile type Windows x64 executable\r\nFile size 172kb\r\nFile name N/A\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 1 of 13\n\nThe malware is executed manually by the attacker on an already infected machine. It is initially a single Portable\r\nExecutable (PE) binary written in C. Its functionality varies depending on the process in which it is executed.\r\nUpon execution, the malware calls the GetModuleFileNameA function to determine the name of the process it is\r\nrunning in. It then compares this process name with a set of hardcoded strings: browser, mspaint.exe, and\r\nmsiexec.exe. Depending on the detected process name, the malware activates different functions:\r\nIf the process name is mspaint.exe, CloudSorcerer functions as a backdoor module, and performs activities\r\nsuch as data collection and code execution.\r\nIf the process name is msiexec.exe, the CloudSorcerer malware initiates its C2 communication module.\r\nLastly, if the process name contains the string “browser” or does not match any of the specified names, the\r\nmalware attempts to inject shellcode into either the msiexec.exe, mspaint.exe, or explorer.exe processes\r\nbefore terminating the initial process.\r\nThe shellcode used by CloudSorcerer for initial process migration shows fairly standard functionality:\r\nParse Process Environment Block (PEB) to identify offsets to required Windows core DLLs;\r\nIdentify required Windows APIs by hashes using ROR14 algorithm;\r\nMap CloudSorcerer code into the memory of one of the targeted processes and run it in a separate thread.\r\nAll data exchange between modules is organized through Windows pipes, a mechanism for inter-process\r\ncommunication (IPC) that allows data to be transferred between processes.\r\nCloudSorcerer backdoor module\r\nThe backdoor module begins by collecting various system information about the victim machine, running in a\r\nseparate thread. The malware collects:\r\nComputer name;\r\nUser name;\r\nWindows subversion information;\r\nSystem uptime.\r\nAll the collected data is stored in a specially created structure. Once the information gathering is complete, the\r\ndata is written to the named pipe \\\\.\\PIPE\\[1428] connected to the C2 module process. It is important to note that\r\nall data exchange is organized using well-defined structures with different purposes, such as backdoor command\r\nstructures and information gathering structures.\r\nNext, the malware attempts to read data from the pipe \\\\.\\PIPE\\[1428]. If successful, it parses the incoming data\r\ninto the COMMAND structure and reads a single byte from it, which represents a COMMAND_ID.\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 2 of 13\n\nMain backdoor functionality\r\nDepending on the COMMAND_ID, the malware executes one of the following actions:\r\n0x1 – Collect information about hard drives in the system, including logical drive names, capacity, and free\r\nspace.\r\n0x2 – Collect information about files and folders, such as name, size, and type.\r\n0x3 – Execute shell commands using the ShellExecuteExW API.\r\n0x4 – Copy, move, rename, or delete files.\r\n0x5 – Read data from any file.\r\n0x6 – Create and write data to any file.\r\n0x8 – Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a\r\nnew thread in a remote process.\r\n0x9 – Receive a PE file, create a section and map it into the remote process.\r\n0x7 – Run additional advanced functionality.\r\nWhen the malware receives a 0x7 COMMAND_ID, it runs one of the additional tasks described below:\r\nCommand\r\nID\r\nOperation Description\r\n0x2307 Create process\r\nCreates any process using COM interfaces, used for running\r\ndownloaded binaries.\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 3 of 13\n\n0x2407\r\nCreate process as\r\ndedicated user\r\nCreates any process under dedicated username.\r\n0x2507\r\nCreate process\r\nwith pipe\r\nCreates any process with support of inter-process communication to\r\nexchange data with the created process.\r\n0x3007 Clear DNS cache Clears the DNS cache.\r\n0x2207 Delete task Deletes any Windows task using COM object interfaces.\r\n0x1E07 Open service Opens a Windows service and reads its status.\r\n0x1F07 Create new task\r\nCreates a new Windows task and sets up a trigger for execution using\r\nCOM objects.\r\n0x2007 Get tasks Gets the list of all the Windows tasks using COM object interface.\r\n0x2107 Stop task Stops any task using COM object interface.\r\n0x1D07 Get services Gets the list of all Windows services.\r\n0x1907\r\nDelete value from\r\nreg\r\nDeletes any value from any Windows registry key selected by the actor.\r\n0x1A07 Create service Creates a new Windows service.\r\n0x1B07 Change service Modifies any Windows service configuration.\r\n0x1807 Delete reg key Deletes any Windows registry key.\r\n0x1407\r\nGet TCP/UDP\r\nupdate table\r\nGets information from Windows TCP/UDP update table.\r\n0x1507 Collect processes Collects all running processes.\r\n0x1607 Set reg key value Modifies any Windows registry key.\r\n0x1707 Enumerate reg key Enumerates Windows registry keys.\r\n0x1307 Enumerate shares Enumerates Windows net shares.\r\n0x1007 Set net user info\r\nSets information about a user account on a Windows network using\r\nNetUserSetInfo. It allows administrators to modify user account\r\nproperties on a local or remote machine.\r\n0x1107 Get net members Gets a member of the local network group.\r\n0x1207 Add member Adds a user to the local network group.\r\n0xE07 Get net user info Collects information about a network user.\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 4 of 13\n\n0xB07\r\nEnumerate net\r\nusers\r\nEnumerates network users.\r\n0xC07 Add net user Adds a new network user.\r\n0xD07 Delete user Deletes a network user.\r\n0x907 Cancel connection\r\nCancels an existing network connection. This function allows for the\r\ndisconnection of network resources, such as shared directories.\r\n0x507 File operations Copies, moves, or deletes any file.\r\n0x607 Get net info Collects information about the network and interfaces.\r\n0x707\r\nEnumerate\r\nconnections\r\nEnumerates all network connections.\r\n0x807 Map network Maps remote network drive.\r\n0x407 Read file Reads any file as text strings.\r\n0x107 Enumerate RDP Enumerates all RDP sessions.\r\n0x207 Run WMI Runs any WMI query using COM object interfaces.\r\n0x307 Get files Creates list of files and folders.\r\nAll the collected information or results of performed tasks are added to a specially created structure and sent to the\r\nC2 module process via a named pipe.\r\nC2 module\r\nThe C2 module starts by creating a new Windows pipe named \\\\.\\PIPE\\[1428]. Next, it configures the connection\r\nto the initial C2 server by providing the necessary arguments to a sequence of Windows API functions responsible\r\nfor internet connections:\r\nInternetCrackUrlA;\r\nInternetSetOptionA;\r\nInternetOpenA;\r\nInternetConnectA;\r\nHttpOpenRequestA;\r\nHttpSendRequestA\r\nThe malware sets the request type (“GET”), configures proxy information, sets up hardcoded headers, and\r\nprovides the C2 URL.\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 5 of 13\n\nSetting up internet connection\r\nThe malware then connects to the initial C2 server, which is a GitHub page located at\r\nhttps://github[.]com/alinaegorovaMygit. The malware reads the entire web page into a memory buffer using the\r\nInternetReadFile call.\r\nThe GitHub repository contains forks of three public projects that have not been modified or updated. Their\r\npurpose is merely to make the GitHub page appear legitimate and active. However, the author section of the\r\nGitHub page displays an interesting string:\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 6 of 13\n\nHex string in the author section\r\nWe found data that looks like a hex string that starts and ends with the same byte pattern – “CDOY”. After the\r\nmalware downloads the entire GitHub HTML page, it begins parsing it, searching specifically for the character\r\nsequence “CDOY”. When it finds it, it copies all the characters up to the second delimiter “CDOY” and then\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 7 of 13\n\nstores them in a memory buffer. Next, the malware parses these characters, converting them from string values to\r\nhex values. It then decodes the string using a hardcoded charcode substitution table – each byte from the parsed\r\nstring acts as an index in the charcode table, pointing to a substitutable byte, thus forming a new hex byte array.\r\nDecoding algorithm\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 8 of 13\n\nCharcode table\r\nAlternatively, instead of connecting to GitHub, CloudSorcerer also tries to get the same data from \r\nhxxps://my.mail[.]ru/, which is a Russian cloud-based photo hosting server. The name of the photo album contains\r\nthe same hex string.\r\nThe first decoded byte of the hex string is a magic number that tells the malware which cloud service to use. For\r\nexample, if the byte is “1”, the malware uses Microsoft Graph cloud; if it is “0”, the malware uses Yandex cloud.\r\nThe subsequent bytes form a string of a bearer token that is used for authentication with the cloud’s API.\r\nDepending on the magic number, the malware creates a structure and sets an offset to a virtual function table that\r\ncontains a subset of functions to interact with the selected cloud service.\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 9 of 13\n\nDifferent virtual tables for Yandex and Microsoft\r\nNext, the malware connects to the cloud API by:\r\nSetting up the initial connection using InternetOpenA and InternetConnectA;\r\nSetting up all the required headers and the authorization token received from the GitHub page;\r\nConfiguring the API paths in the request;\r\nSending the request using HttpSendRequestExA and checking for response errors;\r\nReading data from the cloud using InternetReadFile.\r\nThe malware then creates two separate threads – one responsible for receiving data from the Windows pipe and\r\nanother responsible for sending data to it. These threads facilitate asynchronous data exchange between the C2\r\nand backdoor modules.\r\nFinally, the C2 module interacts with the cloud services by reading data, receiving encoded commands, decoding\r\nthem using the character code table, and sending them via the named pipe to the backdoor module. Conversely, it\r\nreceives the command execution results or exfiltrated data from the backdoor module and writes them to the\r\ncloud.\r\nInfrastructure\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 10 of 13\n\nGitHub page\r\nThe GitHub page was created on May 7, 2024, and two repositories were forked into it on the same day. On May\r\n13, 2024, another repository was forked, and no further interactions with GitHub occurred. The forked repositories\r\nwere left untouched. The name of the C2 repository, “Alina Egorova,” is a common Russian female name;\r\nhowever, the photo on the GitHub page is of a male and was copied from a public photo bank.\r\nMail.ru photo hosting\r\nThis page contains the same encoded string as the GitHub page. There is no information about when the album\r\nwas created and published. The photo of the owner is the same as the picture from the photo bank.\r\nCloud infrastructure\r\nService Main URL Initial path\r\nYandex Cloud cloud-api.yandex.net\r\n/v1/disk/resources?path=\r\n/v1/disk/resources/download?path=\r\n/v1/disk/resources/upload?path=\r\nMicrosoft Graph graph.microsoft.com /v1.0/me/drive/root:/Mg/%s/%s:/content\r\nDropbox content.dropboxapi.com\r\n/2/files/download\r\n/2/files/upload\r\nAttribution\r\nThe use of cloud services is not new, and we reported an example of this in our overview of the CloudWizard APT\r\n(a campaign in the Ukrainian conflict with ties to Operation Groundbait and CommonMagic). However, the\r\nlikelihood of attributing CloudSorcerer to the same actor is low, as the code and overall functionality of the\r\nmalware are different. We therefore assume at this point that CloudSorcerer is a new actor that has adopted the\r\ntechnique of interacting with public cloud services.\r\nVictims\r\nGovernment organizations in the Russian Federation.\r\nConclusions\r\nThe CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities. Its use of\r\ncloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for\r\ninitial C2 communications, demonstrates a well-planned approach to cyberespionage. The malware’s ability to\r\ndynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process\r\ncommunication through Windows pipes, further highlights its sophistication.\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 11 of 13\n\nWhile there are similarities in modus operandi to the previously reported CloudWizard APT, the significant\r\ndifferences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by\r\nprevious techniques but developing its own unique tools.\r\nIndicators of Compromise\r\nFile Hashes (malicious documents, Trojans, emails, decoys)\r\nDomains and IPs\r\nhxxps://github[.]com/alinaegorovaMygit CloudSorcerer C2\r\nhxxps://my.mail[.]ru/yandex.ru/alinaegorova2154/photo/1 CloudSorcerer C2\r\nYara Rules\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nrule apt_cloudsorcerer {\r\nmeta:\r\ndescription = \"Detects CloudSorcerer\"\r\nauthor = \"Kaspersky\"\r\ncopyright = \"Kaspersky\"\r\ndistribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER\r\nOR SHARE ON ANY THREAT INTEL PLATFORM\"\r\nversion = \"1.0\"\r\nlast_modified = \"2024-06-06\"\r\nhash = \"F701fc79578a12513c369d4e36c57224\"\r\nstrings:\r\n$str1 = \"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\"\r\n$str2 = \"c:\\\\windows\\\\system32\\\\mspaint.exe\"\r\n$str3 = \"C:\\\\Windows\\\\system32\\\\msiexec.exe\"\r\n$str4 = \"\\\\\\\\.\\\\PIPE\\\\\"\r\ncondition:\r\nuint16(0) == 0x5A4D and  \r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 12 of 13\n\n18\r\n19\r\n20\r\nall of ($str*)\r\n}\r\nMITRE ATT\u0026CK Mapping\r\nTactic Technique Technique Name\r\nExecution\r\nT1059.009 Command and Scripting Interpreter: Cloud API\r\nT1559 Inter-Process Communication\r\nT1053 Scheduled Task/Job\r\nT1047 Windows Management Instrumentation\r\nPersistence\r\nT1543 Create or Modify System Process\r\nT1053 Scheduled Task/Job\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1112 Modify Registry\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nT1046 Network Service Discovery\r\nT1057 Process Discovery\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nCollection T1005 Data from Local System\r\nCommand and Control\r\nT1102 Web Service\r\nT1568 Dynamic Resolution\r\nExfiltration\r\nT1567 Exfiltration Over Web Service\r\nT1537 Transfer Data to Cloud Account\r\nSource: https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nhttps://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/"
	],
	"report_names": [
		"113056"
	],
	"threat_actors": [
		{
			"id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9",
			"created_at": "2023-06-23T02:04:34.088425Z",
			"updated_at": "2026-04-10T02:00:04.573175Z",
			"deleted_at": null,
			"main_name": "Bad Magic",
			"aliases": [
				"Bad Magic",
				"CloudWizard",
				"RedStinger"
			],
			"source_name": "ETDA:Bad Magic",
			"tools": [
				"CommonMagic",
				"PowerMagic"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4989a6be-779c-49fa-9732-51f44b269ee2",
			"created_at": "2023-01-06T13:46:38.573168Z",
			"updated_at": "2026-04-10T02:00:03.027853Z",
			"deleted_at": null,
			"main_name": "Groundbait",
			"aliases": [],
			"source_name": "MISPGALAXY:Groundbait",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5d1a4f32-cc52-4ee8-acab-993cfa2ef5ad",
			"created_at": "2024-07-09T02:00:04.425917Z",
			"updated_at": "2026-04-10T02:00:03.67013Z",
			"deleted_at": null,
			"main_name": "CloudSorcerer",
			"aliases": [],
			"source_name": "MISPGALAXY:CloudSorcerer",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b1db2dce-5a2b-4fc4-85c2-d184acc956a0",
			"created_at": "2024-08-28T02:02:09.272572Z",
			"updated_at": "2026-04-10T02:00:04.622449Z",
			"deleted_at": null,
			"main_name": "CloudSorcerer",
			"aliases": [
				"Operation EastWind"
			],
			"source_name": "ETDA:CloudSorcerer",
			"tools": [
				"GrewApacha",
				"PlugY",
				"The CloudSorcerer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "73446bf0-6d25-4f73-ab37-78c41d19ade9",
			"created_at": "2022-10-25T16:07:23.961856Z",
			"updated_at": "2026-04-10T02:00:04.809181Z",
			"deleted_at": null,
			"main_name": "Operation Groundbait",
			"aliases": [],
			"source_name": "ETDA:Operation Groundbait",
			"tools": [
				"Prikormka"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434948,
	"ts_updated_at": 1775791799,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5caea7633459cc8f79d3be582902c9d4c6fd6a9.pdf",
		"text": "https://archive.orkl.eu/c5caea7633459cc8f79d3be582902c9d4c6fd6a9.txt",
		"img": "https://archive.orkl.eu/c5caea7633459cc8f79d3be582902c9d4c6fd6a9.jpg"
	}
}