{ "id": "4c8b5f25-4f33-4c1e-8112-738f1f7aea63", "created_at": "2026-04-06T00:15:20.149029Z", "updated_at": "2026-04-10T13:11:47.154511Z", "deleted_at": null, "sha1_hash": "d1d0387b045a67a5b6502a42b6de80f9828623a1", "title": "Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Business Execs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 203367, "plain_text": "Blue Coat Exposes “The Inception Framework”; Very Sophisticated,\r\nLayered Malware Attack Targeted at Military, Diplomats, and Business\r\nExecs\r\nBy Snorre Fagerland and Waylon Grange\r\nArchived: 2026-04-05 16:38:44 UTC\r\nBlue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware\r\nAttack Targeted at Military, Diplomats, and Business Execs\r\n·        One of the most sophisticated malware attacks Blue Coat Labs has ever seen\r\n·        Initially targeted at Russia, but expanding globally\r\n·        Masterful identity cloaking and diversionary tactics\r\n·        Clean and elegant code suggesting strong backing and top-tier talent\r\n·        Includes malware targeting mobile devices: Android, Blackberry and iOS\r\n·        Using a free cloud hosting service based in Sweden for command and control\r\nResearchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is\r\nbeing used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’\r\ncomputers.  Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the\r\n2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious. Targets\r\ninclude individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military\r\nofficers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located\r\nin Russia or related to Russian interests, but have since spread to targets in other locations around the world.  The preferred\r\nmalware delivery method is via phishing emails containing trojanized documents.\r\nCommand \u0026 Control traffic on the Windows platform is performed indirectly via a Swedish cloud service provider using the\r\nWebDAV protocol. This hides the identity of the attacker and may bypass many current detection mechanisms.\r\nThe attackers have added another layer of indirection to mask their identity by leveraging a proxy network composed of\r\nrouters, most of which are based in South Korea, for their command and control communication. It is believed that the\r\nattackers were able to compromise these devices based on poor configurations or default credentials.\r\nBased on the multiple layers of obfuscation and indirection in the malware, along with the control mechanisms between\r\nattacker and target, it is clear the attackers behind Inception are intent on staying in the shadows.\r\nThe framework continues to evolve. Blue Coat Lab researchers have recently found that the attackers have also created\r\nmalware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS\r\nphishing campaigns to mobile devices of targeted individuals. To date, Blue Coat has observed over 60 mobile providers\r\nsuch as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is\r\nlikely far higher.\r\nhttps://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware\r\nPage 1 of 5\n\nExpanded details about Inception are also available via a new technical whitepaper, “The Inception Framework: Cloud-hosted APT.”\r\nHighly Targeted Attacks on Political, Military, Financial and Oil Industries\r\nInitially, attacks campaigns seemed to be largely focused on Russia and a few other Eastern European countries. However,\r\nBlue Coat has also seen attacks on targets in other countries across the globe.\r\nWhile information about targets is limited, Blue Coat researchers have uncovered a number of phishing emails highlighting\r\nindustry targets:\r\nInception Framework: Attack Targets\r\nFinance [Russia]\r\nOil industry [Romania, Venezuela, Mozambique]\r\nEmbassies/Diplomacy [Paraguay, Romania, Turkey]\r\n Researchers have also obtained decoy documents that indicate an interest in:\r\nEmbassies\r\nPolitics\r\nFinance\r\nMilitary\r\nEngineering\r\nInitial Discovery\r\nIn March 2014, Microsoft published information about a new vulnerability in Rich Text Format (RTF). This vulnerability,\r\nnamed CVE-2014-1761 (Microsoft Word RTF Object Confusion), was already exploited by attackers. Two previous RTF\r\nvulnerabilities, CVE-2010-3333 and CVE-2012-0158, became mainstays of targeted attacks, so Blue Coat Lab researchers\r\nfollowed the usage this new exploit with interest.\r\nIn late August, Blue Coat identified a malware espionage operation that used both the CVE-2014-1761 and CVE-2012-0158\r\nvulnerabilities to trigger execution of the malicious payload, and which leveraged a Swedish cloud service, CloudMe, as the\r\nbackbone of its entire visible infrastructure.\r\nWhen Blue Coat notified CloudMe.com about the abuse of their services, CloudMe was very helpful, providing further\r\nresearch, including a great deal of log information related to the attack. It must be noted that the CloudMe service is not\r\nactively spreading the malicious content; the attackers are only using it for storing their files.\r\nHow Does Inception Work?\r\nInitial malware components have, in all cases that Blue Coat has observed, been embedded in Rich Text Format (RTF) files.\r\nExploitation of vulnerabilities in this file format is leveraged to gain remote access to victim’s computers. These files are\r\ndelivered to the victim via phishing emails with exploited Word documents attached.\r\nhttps://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware\r\nPage 2 of 5\n\nEXAMPLE of Phishing Email\r\nExample of attached document, containing two exploit containers; one targeting CVE-2012-0158 (MSCOMCTL ActiveX\r\nBuffer Overflow), the other targeting CVE-2014-1761.\r\nExample of attached document, containing two exploit containers; one targeting CVE-2012-0158 (MSCOMCTL ActiveX\r\nBuffer Overflow), the other targeting CVE-2014-1761.\r\nWhen the user clicks on the attachment, a Word document is displayed to avoid arousing suspicion from the user while\r\nmalicious content stored inside the document in encoded form writes to their disk. Unusual for many exploit campaigns, the\r\nnames of the dropped files vary and have been clearly randomized in order to avoid detection by name.\r\nThe malware gathers system information from the infected machine, including OS version, computer name, user name, user\r\ngroup membership, the process it is running in, locale ID’s, as well as system drive and volume information. All of this\r\nsystem information is encrypted and sent to cloud storage via WebDAV. The framework is designed in such a way that all\r\ncommunication after malware infection (i.e. target surveying, configuration updates, malware updates, and data exfiltration)\r\ncan be performed via the cloud service.\r\nThe malware components of this framework follow a plug-in model, where new malware rely on already existing malware\r\ncomponents to interact with the framework.  Without the initial installer, none of the subsequent separate modules will work,\r\nand most of these will only exist in memory – vanishing at reboot.\r\nhttps://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware\r\nPage 3 of 5\n\nThe operational security exhibited by the attackers is among the most advanced that Blue Coat has witnessed. Most\r\ninteraction between attackers and their infrastructure is performed via a convoluted network of router proxies and rented\r\nhosts, most likely compromised because of poor configurations or default credentials.\r\nAttack Origins Masked by Obfuscation and Misdirection\r\nThe attackers have left a slew of potential hints to their physical location.  However, it is extremely difficult to distinguish\r\nwhich of these indicators are legitimate clues and which are bread crumbs intentionally dropped to obscure their trail. Listed\r\nbelow are the indicators we have discovered and what conclusions could be drawn from each about the origins of the\r\nattacks.\r\nRed Herrings \r\nIn specific instances where the APT seemed to be under investigation by researchers the actors dropped another piece\r\nof malware that is clearly attributable to a previously known Chinese APT: Suggests ties to China\r\nA large majority of the hacked home routers are in South Korea: Suggests ties to South Korea\r\nThe attackers are most active from 8:00AM to 5:00PM in the Eastern European Timezone: Suggests ties to areas in\r\nthe GMT+200 timezone\r\nSome of the comments in the Android malware are in Hindi: Suggests ties to India\r\nSome text strings in the BlackBerry malware are Arabic: Suggests ties to the Middle East\r\nThe string “God_Save_The_Queen” was found within the Black Berry malware: Suggests ties to the UK\r\nThe word documents show some resemblance to word documents used by the Red October APT: Suggests ties to\r\nUkraine and/or Russia\r\nThe iOS malware was developed by someone using the account name “JohnClerk”: Suggests ties to the US or UK\r\nThe encryption key for the iOS malware\r\n\"fjkweyreruu665E62C:GWR34285U^%^#%$%^$RXYEUFQ2H89HCHVERWJFKWEhjvvehhewfD63TDYDGTYEDT23\r\nappears to be keyboard mashing on a US/US International keyboard: Suggests ties to the US\r\nAttacks Expanded to Target Mobile Devices\r\nAttackers have expanded their efforts to include malware for Android, BlackBerry and iOS devices.\r\nThese are used to gather information from the victims, including phone call recordings. Specifically on the Android\r\nplatform, they are recording incoming and outgoing phone calls to MP4 sound files that are periodically uploaded to the\r\nattackers.\r\nIn parallel, there are indications of a large scale MMS phishing campaign probably aimed at selected individuals. According\r\nto data obtained by Blue Coat researchers, the intended victims may have been customers of many mobile operators – we\r\nknow over 60 mobile providers affected, but the real number is likely far higher.  The MMS phishing messages have been\r\nprepared for multiple countries in Asia (including the Russian sphere and China), Africa, Middle East and Europe.\r\nConclusion\r\nThere clearly is a well-resourced and very professional organization behind Inception, with precise targets and intentions\r\nthat could be widespread and harmful. The complex attack framework shows signs of automation and seasoned\r\nprogramming, and the number of layers used to protect the payload of the attack and to obfuscate the identity of the\r\nattackers is extremely advanced, if not paranoid.\r\nhttps://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware\r\nPage 4 of 5\n\nAttribution is always hard, and in this case it is exceedingly difficult. Based on the attributes of the attack and the targeting\r\nof individuals connected with national political, economic and military interests, the party behind Inception could be a\r\nmedium-sized nation state, or possibly a resourceful and professional private entity.\r\nThe comprehensive infrastructure suggests that this is a large campaign, of which we’ve only seen the beginning. While the\r\nmajority of the targets seem to be located in Russia or related to Russian interests, there are verified targets in countries all\r\nover the world, and the attack could potentially expand globally. In addition, this infrastructure model does not need to be\r\napplied solely against a few targets, nor hosted at CloudMe. The framework is generic, and will work as an attack platform\r\nfor a multitude of purposes with very little modification.\r\nAdditional Guidance - What You Can Do\r\nSigns of compromise\r\nUnauthorized WebDAV traffic\r\nregsvr32.exe continuously running in the process list\r\nWays to prevent infection\r\nKeep software updated\r\nDon’t jailbreak mobile phones \r\nDon’t Install apps from unofficial sources\r\nSigns of being targeted\r\nUnsolicited emails containing rtf documents\r\nUnsolicited emails or MMS messages suggesting smart phone applications need updating\r\nGet the full report: \"The Inception Framework: Cloud-Hosted APT.\"\r\nSource: https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-fra\r\nmework%E2%80%9D-very-sophisticated-layered-malware\r\nhttps://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware" ], "report_names": [ "blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434520, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d1d0387b045a67a5b6502a42b6de80f9828623a1.pdf", "text": "https://archive.orkl.eu/d1d0387b045a67a5b6502a42b6de80f9828623a1.txt", "img": "https://archive.orkl.eu/d1d0387b045a67a5b6502a42b6de80f9828623a1.jpg" } }