{ "id": "654e04de-9e11-44ba-bf86-023a4b960848", "created_at": "2026-04-06T00:19:54.390421Z", "updated_at": "2026-04-10T03:36:27.52569Z", "deleted_at": null, "sha1_hash": "e7aa74b134122715551652e4e1314f10e00ce71d", "title": "Cloud Atlas: RedOctober APT is back in style", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 445832, "plain_text": "Cloud Atlas: RedOctober APT is back in style\r\nBy GReAT\r\nPublished: 2014-12-10 · Archived: 2026-04-05 17:34:45 UTC\r\nTwo years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting\r\ndiplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012,\r\nan unusually hot month.\r\nAfter our announcement in January 2013, the RedOctober operation was promptly shut down and the network of\r\nC\u0026Cs was dismantled. As usually happens with these big operations, considering the huge investment and number\r\nof resources behind it, they don’t just “go away” forever. Normally, the group goes underground for a few months,\r\nredesigns the tools and the malware and resume operations.\r\nSee:\r\nRedOctober Part 1\r\nRedOctober Part 2\r\nSince January 2013, we’ve been on the lookout for a possible RedOctober comeback. One possible hit was\r\ntriggered when we observed Mevade, an unusual piece of malware that appeared late in 2013. The Mevade C\u0026C\r\nname styles as well as some other technical similarities indicated a connection to RedOctober, but the link was\r\nweak. It wasn’t until August 2014 that we observed something which made us wonder if RedOctober is back for\r\ngood.\r\nMeet Cloud Atlas\r\nIn August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual\r\nset of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual\r\nthings that are not very common in the APT world.\r\nSome of the filenames used in the attacks included:\r\nFT – Ukraine Russia’s new art of war.doc\r\nКатастрофа малайзийского лайнера.doc\r\nDiplomatic Car for Sale.doc\r\nМВКСИ.doc\r\nOrganigrama Gobierno Rusia.doc\r\nФото.doc\r\nИнформационное письмо.doc\r\nФорма заявки (25-26.09.14).doc\r\nИнформационное письмо.doc\r\nПисьмо_Руководителям.doc\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 1 of 10\n\nПрилож.doc\r\nCar for sale.doc\r\nAf-Pak and Central Asia’s security issues.doc\r\nAt least one of them immediately reminded us of RedOctober, which used a very similarly named  spearphish:\r\n“Diplomatic Car for Sale.doc”. As we started digging into the operation, more details emerged which supported\r\nthis theory.\r\nPerhaps the most unusual fact was that the Microsoft Office exploit didn’t directly write a Windows PE backdoor\r\non disk. Instead, it writes an encrypted Visual Basic Script and runs it.\r\nCloud Atlas exploit payload – VBScript\r\nThis VBScript drops a pair of files on disk – a loader and an encrypted payload. The loader appears to be different\r\nevery time and internal strings indicate it is “polymorphically” generated. The payload is always encrypted with a\r\nunique key, making it impossible to decrypt unless the DLL is available.\r\nWe observed several different spear-phishing documents that drop uniquely named payloads. For instance, the\r\n“qPd0aKJu.vbs” file MD5:\r\nE211C2BAD9A83A6A4247EC3959E2A730 drops the following files:\r\nDECF56296C50BD3AE10A49747573A346 – bicorporate – encrypted payload\r\nD171DB37EF28F42740644F4028BCF727 – ctfmonrn.dll – loader\r\nThe VBS also adds a registry key:\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 2 of 10\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ setting the key “bookstore” to\r\nthe value “regsvr32 %path%\\ctfmonrn.dll /s”, which ensures the malware runs every time at system boot.\r\nSome of the DLL names we observed include:\r\nf4e15c1c2c95c651423dbb4cbe6c8fd5 – bicorporate.dll\r\n649ff144aea6796679f8f9a1e9f51479 – fundamentive.dll\r\n40e70f7f5d9cb1a669f8d8f306113485 – papersaving.dll\r\n58db8f33a9cdd321d9525d1e68c06456 – previliges.dll\r\nf5476728deb53fe2fa98e6a33577a9da – steinheimman.dll\r\nSome of the payload names include:\r\nsteinheimman\r\npapersaving\r\npreviliges\r\nfundamentive\r\nbicorporate\r\nmiditiming\r\ndamnatorily\r\nmunnopsis\r\narzner\r\nredtailed\r\nroodgoose\r\nacholias\r\nsalefians\r\nwartworts\r\nfrequencyuse\r\nnonmagyar\r\nshebir\r\ngetgoing\r\nThe payload includes an encrypted configuration block which contains information about the C\u0026C sever:\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 3 of 10\n\nThe information from the config includes a WebDAV URL which is used for connections, a username and\r\npassword, two folders on the WebDAV server used to store plugins/modules for the malware and where data from\r\nthe victim should be uploaded.\r\nC\u0026C communication\r\nThe Cloud Atlas implants utilize a rather unusual C\u0026C mechanism. All the malware samples we’ve seen\r\ncommunicate via HTTPS and WebDav with the same server “cloudme.com”, a cloud services provider. According\r\nto their website, CloudMe is owned and operated by CloudMe AB, a company based in Linköping, Sweden.\r\n(Important note: we do not believe that CloudMe is in any way related to the Cloud Atlas group – the attackers\r\nsimply create free accounts on this provider and abuse them for command-and-control).\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 4 of 10\n\nEach malware set we have observed so far communicates with a different CloudMe account though. The attackers\r\nupload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware\r\nuploads the replies back to the server via the same mechanism. Of course, it should be possible to reconfigure the\r\nmalware to use any Cloud-based storage service that supports WebDAV.\r\nHere’s a look at one such account from CloudMe:\r\nThe data from the account:\r\nThe files stored in the randomly named folder were uploaded by the malware and contain various things, such as\r\nsystem information, running processes and current username. The data is compressed with LZMA and encrypted\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 5 of 10\n\nwith AES, however, the keys are stored in the malware body which makes it possible to decrypt the information\r\nfrom the C\u0026C.\r\nWe previously observed only one other group using a similar method – ItaDuke – that connected to accounts on\r\nthe cloud provider mydrive.ch.\r\nVictim statistics: top 5 infected countries\r\nCloudAtlas RedOctober\r\nRussia 15 35\r\nKazakhstan 14 21\r\nBelarus 4 5\r\nIndia 2 14\r\nCzech Republic 2 5\r\nSimilarities with RedOctober\r\nJust like with RedOctober, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to\r\ndata from the Kaspersky Security Network (KSN). Actually, we see an obvious overlap of targets between the\r\ntwo, with subtle differences which closely account for the geopolitical changes in the region that happened\r\nduring the last two years.\r\nInterestingly, some of the spear-phishing documents between Cloud Atlas and RedOctober seem to exploit the\r\nsame theme and were used to target the same entity at different times.\r\nBoth Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final\r\npayload that is stored encrypted and compressed in an external file. There are some important differences though,\r\nespecially in the encryption algorithms used – RC4 in RedOctober vs AES in Cloud Atlas.\r\nThe usage of the compression algorithms in Cloud Altas and RedOctober is another interesting similarity. Both\r\nmalicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the\r\nlogs and to decompress the decrypted payload from the C\u0026C servers, while in Red October the “scheduler” plugin\r\nuses it to decompress executable payloads from the C\u0026C.\r\nIt turns out that the implementation of the algorithm is identical in both malicious modules, however the way it is\r\ninvoked is a bit different, with additional input integrity checks added to the CloudAtlas version.\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 6 of 10\n\nAnother interesting similarity between the malware families is the configuration of the build system used to\r\ncompile the binaries. Every binary created using the Microsoft Visual Studio toolchain has a special header that\r\ncontains information about the number of input object files and version information of the compilers used to\r\ncreate them, the “Rich” header called so by the magic string that is used to identify it in the file.\r\nWe have been able to identify several RedOctober binaries that have “Rich” headers describing exactly the same\r\nlayout of VC 2010 + VC 2008 object files. Although this doesn’t necessarily mean that the binaries were created\r\non the same development computer, they were definitely compiled using the same version of the Microsoft Visual\r\nStudio up to the build number version and using similar project configuration.\r\nNumber of object\r\nfiles, CloudAtlas\r\nloader\r\nNumber of object\r\nfiles, Red October\r\nOffice plugin\r\nNumber of object\r\nfiles,Red October\r\nFileputexec plugin\r\nHEX\r\ncompiler\r\nversion\r\nDecoded\r\ncompiler\r\nversion\r\n01 01 01 009D766F\r\nVC 2010\r\n(build 30319)\r\n01 01 01 009B766F\r\nVC 2010\r\n(build 30319)\r\n22 2E 60 00AB766F\r\nVC 2010\r\n(build 30319)\r\n5B 60 A3 00010000 –\r\n05 07 11 00937809\r\nVC 2008\r\n(build 30729)\r\n72 5C AD 00AA766F\r\nVC 2010\r\n(build 30319)\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 7 of 10\n\n20 10 18 009E766F\r\nVC 2010\r\n(build 30319)\r\nTo summarize the similarities between the two:\r\nCloud Atlas RedOctober\r\nShellcode marker in spearphished documents PT@T PT@T\r\nTop target country Russia Russia\r\nCompression algorithm used for C\u0026C\r\ncommunications\r\nLZMA LZMA\r\nC\u0026C servers claim to be / redirect to\r\nBBC (mobile\r\nmalware)\r\nBBC\r\nCompiler version\r\nVC 2010 (build\r\n30319)\r\nVC 2010 (build 30319) (some\r\nmodules)\r\nFinally, perhaps the strongest connection comes from targeting. Based on observations from KSN, some of the\r\nvictims of RedOctober are also being targeted by CloudAtlas. In at least one case, the victim’s computer was\r\nattacked only twice in the last two years, with only two malicious programs – RedOctober and Cloud Atlas.\r\nThese and other details make us believe that CloudAtlas represents a rebirth of the RedOctober attacks.\r\nConclusion\r\nFollowing big announcements and public exposures of targeted attack operations, APT groups behave in a\r\npredictable manner. Most Chinese-speaking attackers simply relocate C\u0026C servers to a different place, recompile\r\nthe malware and carry on as if nothing happened.\r\nOther groups that are more nervous about exposure go in a hibernation mode for months or years. Some may\r\nnever return using the same tools and techniques.\r\nHowever, when a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down\r\neverything. They simply go offline for some time, completely reshuffle their tools and return with rejuvenated\r\nforces.\r\nWe believe this is also the case of RedOctober, which makes a classy return with Cloud Atlas.\r\nKaspersky products detect the malware from the Cloud Atlas toolset with the following verdicts:\r\nExploit.Win32.CVE-2012-0158.j\r\nExploit.Win32.CVE-2012-0158.eu\r\nExploit.Win32.CVE-2012-0158.aw\r\nExploit.MSWord.CVE-2012-0158.ea\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 8 of 10\n\nHEUR:Trojan.Win32.CloudAtlas.gen\r\nHEUR:Trojan.Win32.Generic\r\nHEUR:Trojan.Script.Generic\r\nTrojan-Spy.Win32.Agent.ctda\r\nTrojan-Spy.Win32.Agent.cteq\r\nTrojan-Spy.Win32.Agent.ctgm\r\nTrojan-Spy.Win32.Agent.ctfh\r\nTrojan-Spy.Win32.Agent.cter\r\nTrojan-Spy.Win32.Agent.ctfk\r\nTrojan-Spy.Win32.Agent.ctfj\r\nTrojan-Spy.Win32.Agent.crtk\r\nTrojan-Spy.Win32.Agent.ctcz\r\nTrojan-Spy.Win32.Agent.cqyc\r\nTrojan-Spy.Win32.Agent.ctfg\r\nTrojan-Spy.Win32.Agent.ctfi\r\nTrojan-Spy.Win32.Agent.cquy\r\nTrojan-Spy.Win32.Agent.ctew\r\nTrojan-Spy.Win32.Agent.ctdg\r\nTrojan-Spy.Win32.Agent.ctlf\r\nTrojan-Spy.Win32.Agent.ctpz\r\nTrojan-Spy.Win32.Agent.ctdq\r\nTrojan-Spy.Win32.Agent.ctgm\r\nTrojan-Spy.Win32.Agent.ctin\r\nTrojan-Spy.Win32.Agent.ctlg\r\nTrojan-Spy.Win32.Agent.ctpd\r\nTrojan-Spy.Win32.Agent.ctps\r\nTrojan-Spy.Win32.Agent.ctpq\r\nTrojan-Spy.Win32.Agent.ctpy\r\nTrojan-Spy.Win32.Agent.ctie\r\nTrojan-Spy.Win32.Agent.ctcz\r\nTrojan-Spy.Win32.Agent.ctgz\r\nTrojan-Spy.Win32.Agent.ctpr\r\nTrojan-Spy.Win32.Agent.ctdp\r\nTrojan-Spy.Win32.Agent.ctdr\r\nTrojan.Win32.Agent.idso\r\nTrojan.Win32.Agent.idrx\r\nHEUR:Trojan.Linux.Cloudatlas.a\r\nTrojan.AndroidOS.Cloudatlas.a\r\nTrojan.IphoneOS.Cloudatlas.a\r\nParallel research:\r\nBlue Coat Exposes Inception Framework\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 9 of 10\n\nSource: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nhttps://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083" ], "report_names": [ "68083" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775792187, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7aa74b134122715551652e4e1314f10e00ce71d.pdf", "text": "https://archive.orkl.eu/e7aa74b134122715551652e4e1314f10e00ce71d.txt", "img": "https://archive.orkl.eu/e7aa74b134122715551652e4e1314f10e00ce71d.jpg" } }