{ "id": "693b13a6-2caa-4a52-9fa0-33db80debcf0", "created_at": "2026-04-06T00:07:01.745531Z", "updated_at": "2026-04-10T03:36:27.596329Z", "deleted_at": null, "sha1_hash": "fe9f9e1a91b0cc6d57fdf9e314cd9649c3c59f2f", "title": "Cloud Atlas seen using a new tool in its attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1952859, "plain_text": "Cloud Atlas seen using a new tool in its attacks\r\nBy Oleg Kupreev\r\nPublished: 2024-12-23 · Archived: 2026-04-02 11:32:37 UTC\r\nIntroduction\r\nKnown since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously\r\nundocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing\r\na malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and\r\nexecute malware code. See below for the infection pattern.\r\nTypical Cloud Atlas infection pattern\r\nWhen opened, the document downloads a malicious template formatted as an RTF file from a remote server\r\ncontrolled by the attackers. It contains a formula editor exploit that downloads and runs an HTML Application\r\n(HTA) file hosted on the same C2 server. The RTF and HTA downloads are restricted to certain time slots and\r\nvictim IP addresses: requests are only allowed from target regions.\r\nThe malicious HTA file extracts and writes several files to disk that are parts of the VBShower backdoor.\r\nVBShower then downloads and installs another backdoor: PowerShower. This infection scheme was originally\r\ndescribed back in 2019 and has changed only slightly from year to year.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 1 of 22\n\nPreviously, Cloud Atlas employed PowerShower to download and run an executable file: a DLL library. This DLL\r\nwould then fetch additional executable modules (plug-ins) from the C2 server and execute these in memory.\r\nAmong these plug-ins was one specifically designed to exfiltrate files with extensions of interest to the attackers:\r\nDOC, DOCX, XLS, XLSX, PDF, RTF, JPG and JPEG. The plugins were downloaded and their output was\r\nuploaded via the WebDAV protocol over public cloud services. Interestingly, after a plug-in was successfully\r\ndownloaded, the DLL would delete the file from the cloud.\r\nThe VBCloud backdoor now replicates the executable file’s original capabilities, such as downloading and\r\nexecuting malicious plug-ins, communicating with a cloud server, and performing other tasks. We first detected\r\nattacks using this implant in August of last year. Since then, we’ve observed numerous variations of the backdoor\r\nwhich have helped it to stay under the radar. This new campaign loads VBCloud via VBShower, which also\r\ndownloads the PowerShower module. PowerShower probes the local network and facilitates further infiltration,\r\nwhile VBCloud collects information about the system and steals files. Below, we use a sample seen in September\r\n2024 as a case study to examine each stage of a Cloud Atlas attack that employs the new toolkit.\r\nTechnical details\r\nHTA\r\nThe exploit downloads the HTA file via the RTF template and runs it. It leverages the alternate data streams\r\n(NTFS ADS) feature to extract and create several files at %APPDATA%\\Roaming\\Microsoft\\Windows\\. These\r\nfiles make up the VBShower backdoor.\r\nSample HTA content\r\nBelow are the VBShower components loaded by the HTA dropper.\r\nFile name Description\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 2 of 22\n\nAppCache028732611605321388.log:AppCache02873261160532138892.vbs\r\nVBShower Launcher\r\n(copy)\r\nAppCache028732611605321388.log:AppCache028732611605321388.vbs VBShower Launcher\r\nAppCache028732611605321388.log:AppCache028732611605321388.dat\r\nEncrypted VBShower\r\nbackdoor\r\nAppCache028732611605321388.log:AppCache0287326116053213889292.vbs VBShower Cleaner\r\nAfter the download is complete, the malware adds a registry key to auto-run the VBShower Launcher script.\r\n\"Software\\Microsoft\\Windows\\\\CurrentVersion\\Run\",\"dmwappushservice\",\"wscript /B\r\n\"%APPDATA%\\Roaming\r\n\\Microsoft\\Windows\\AppCache028732611605321388.log:AppCache028732611605321388.vbs\"\r\nThe backdoor also launches further scripts: VBShower Launcher (copy) and VBShower Cleaner.\r\nwscript /B \"%APPDATA%\\Roaming\r\n\\Microsoft\\Windows\\AppCache028732611605321388.log:AppCache02873261160532138892.vbs\r\nwscript /B \"%APPDATA%\\Roaming\r\n\\Microsoft\\Windows\\AppCache028732611605321388.log:AppCache0287326116053213889292.vbs\r\nThe attackers create custom HTA files for each victim, so the names of the scripts and registry keys are mostly\r\nunique. For example, we have seen intertwine used as a name template, while the file names themselves looked as\r\nfollows.\r\n“intertwine.ini:intertwineing.vbs”;\r\n“intertwine.ini:intertwineinit.vbs”;\r\n“intertwine.ini:intertwine.vbs”;\r\n“intertwine.ini:intertwine.con”.\r\nVBShower\r\nVBShower::Launcher\r\nThis script acts as a loader, responsible for reading and decrypting the contents of\r\nAppCache028732611605321388.log:AppCache028732611605321388.dat, before using the Execute() function to\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 3 of 22\n\npass control to that file.\r\nSample VBShower Launcher content\r\nVBShower::Cleaner\r\nThis script is designed to clear the contents of all files inside the \\Local\\Microsoft\\Windows\\Temporary Internet\r\nFiles\\Content.Word\\ folder by opening each in write mode. While the files persist, their contents are erased. This\r\nis how the Trojan covers its tracks, removing malicious documents and templates it downloaded from the web\r\nduring the attack.\r\nThe script uses the same method to erase both its own contents and the contents of the VBShower Launcher copy,\r\nwhich is used solely for the malware’s first run.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 4 of 22\n\nSample VBShower Cleaner content\r\nVBShower::Backdoor\r\nThe backdoor’s payload is contained encrypted within a DAT file.\r\nEncrypted VBShower backdoor\r\nVBShower::Launcher goes through several stages to decrypt the backdoor.\r\nFirst decrypted layer of VBShower Backdoor\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 5 of 22\n\nFully decrypted and deobfuscated VBShower Backdoor content\r\nThe VBShower backdoor then runs in memory, subsequently performing several operations in a loop.\r\nCheck for the autorun registry key and restore it if missing.\r\nAttempt to download additional encrypted VB scripts from the C2 server and run these. If the downloaded\r\ndata is larger than 1 MB, the module saves the script to disk inside alternate data streams (NTFS ADS) and\r\nruns it with the help of the “wscript” utility. Otherwise, it runs the script in the current context.\r\nIf an alternate data stream contains a TMP file, the backdoor sends it to the C2 server with a POST request.\r\nThe additional scripts downloaded from the C2 use the TMP file to store their output.\r\nVBShower::Payload\r\nWe were able to detect and analyze a number of scripts downloaded and executed by the VBShower backdoor.\r\nVBShower::Payload (1)\r\nThe first script we found does the following.\r\nGets the domain, username and computer.\r\nGets the names and values of the registry keys in the\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run branch.\r\nGets information about the file names and sizes in the following folders:\r\n%AppData%;\r\n%AllUsersProfile%;\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 6 of 22\n\n%AllUsersProfile%\\Canon;\r\n%AllUsersProfile%\\Intel;\r\n%AllUsersProfile%\\Control;\r\n%AllUsersProfile%\\libs;\r\n%AllUsersProfile%\\Adobe;\r\n%AllUsersProfile%\\Yandex;\r\n%AllUsersProfile%\\Firefox;\r\n%AllUsersProfile%\\Edge;\r\n%AllUsersProfile%\\Chrome;\r\n%AllUsersProfile%\\avp.\r\nGets the names of running processes, their start dates and the commands that started them.\r\nGets a list of scheduler tasks by running cmd.exe /c schtasks /query /v /fo LIST.\r\nAll data collected this way is saved in a TMP alternate data stream and forwarded to the C2 server by the\r\nVBShower::Backdoor component.\r\nThe paths listed above (%AllUsersProfile%\\\u003csubfolder\u003e) are used for installing the VBCloud backdoor. The steps\r\nperformed by the script are most likely needed to check if the backdoor is present and installed correctly.\r\nDecrypted and deobfuscated contents of script 1\r\nVBShower::Payload (2)\r\nThe second script reboots the system.\r\nDecrypted and deobfuscated contents of script 2\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 7 of 22\n\nVBShower::Payload (3)\r\nA further script downloads a ZIP archive, extracts it into the %TMP% directory, and collects the names and sizes\r\nof downloaded files to then send an extraction report to the C2. This is done to verify that the files were received\r\nand unpacked.\r\nDecrypted and deobfuscated contents of script 3\r\nVBShower::Payload (4) and (5)\r\nVBShower downloads two similar scripts that are designed for installing the VBCloud and PowerShower\r\nbackdoors. These scripts first download an archive from a hardcoded link and then unpack it into the\r\n%ALLUSERSPROFILE% folder. In the case of VBCloud, the script changes the extension of the unpacked file\r\nfrom TXT to VBS and creates a scheduler task to run VBCloud. In the case of PowerShower, the extension of the\r\nunpacked file is changed from TXT to PS1, whereupon the script adds the file to the \\Run registry branch.\r\nUnlike VBShower’s own scripts, downloadable scripts with a payload are present on disk as files, rather than\r\nhidden inside alternate data streams.\r\nBesides installing backdoors, these scripts build a report that consists of the names of running processes, their start\r\ndates and the commands that started them, registry keys and values in the \\Run branch, and a list of files and\r\ndirectories at the path where the archive was unpacked. This report is then sent to the C2 server.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 8 of 22\n\nDecrypted and deobfuscated contents of the scripts for downloading and installing VBCloud and PowerShower\r\nPowerShower\r\nPowerShower is nearly identical to VBShower in terms of functionality.\r\nSample PowerShower script installed with VBShower\r\nPowerShower downloads additional PowerShell scripts from the C2 and executes these. If the downloaded data\r\nbegins with the character “P”, PowerShower interprets the data as a ZIP archive, rather than a PowerShell script,\r\nand saves the archive to disk as “%TMP%\\Firefox.zip”. PowerShower does not unpack the archive, serving as a\r\ndownloader only.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 9 of 22\n\nDecoded PowerShower script\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 10 of 22\n\nThe downloaded PowerShell scripts run in memory, without being saved to disk. Most of the scripts save their\r\noutput to sapp.xtx, which PowerShower then sends as a report to the C2.\r\nThe PowerShower scripts use the same C2 domains as VBShower.\r\nPowerShower::Payload (1)\r\nThe script gets a list of local groups and their members on remote computers via Active Directory Service\r\nInterfaces (ADSI). The script is most often used on domain controllers.\r\nSample script to get a local groups and members list, downloaded and executed by PowerShower\r\nPowerShower::Payload (2)\r\nScript for dictionary attacks on user accounts.\r\nSample password bruteforcing script, downloaded and executed by PowerShower\r\nPowerShower::Payload (3)\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 11 of 22\n\nThe script unpacks the Firefox.zip archive previously downloaded by the PowerShower backdoor, and executes\r\nthe keb.ps1 script contained in the archive as a separate PowerShell process with a hidden window. The keb.ps1\r\nscript belongs to the popular PowerSploit framework for penetration testing and kicks off a Kerberoasting attack.\r\nSample script that launches a Kerberoasting attack, downloaded and executed by PowerShower\r\nPowerShower::Payload (4)\r\nThis script gets a list of administrator groups.\r\nSample script to get a list of administrator groups, downloaded and executed by PowerShower\r\nPowerShower::Payload (5)\r\nThis script gets a list of domain controllers.\r\nSample script to get a list of domain controllers, downloaded and executed by PowerShower\r\nPowerShower::Payload (6)\r\nThis script gets information about files inside the ProgramData directory.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 12 of 22\n\nSample script to get information about files inside the ProgramData directory, downloaded and executed by\r\nPowerShower\r\nPowerShower::Payload (7)\r\nThis script gets the account policy and password policy settings on the local computer.\r\nSample script to get policy settings, downloaded and executed by PowerShower\r\nPowerShower::Payload:: Inveigh\r\nWe also observed the use of PowerShell Inveigh, a machine-in-the-middle attack utility used in penetration\r\ntesting. Inveigh is used for data packet spoofing attacks, and collecting hashes and credentials both by intercepting\r\npackets and by using protocol-specific sockets.\r\nThe Inveigh script is extracted from the ZIP archive downloaded by PowerShower and runs as described under\r\nPowerShower::Payload (3).\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 13 of 22\n\nSample Inveigh script, downloaded and executed by PowerShower\r\nVBCloud\r\nAs described above, VBCloud is installed via VBShower. We found the following module installation paths.\r\nC:\\ProgramData\\avp\\avp_upd.vbs\r\nC:\\ProgramData\\Adobe\\AdobeLog.vbs\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 14 of 22\n\nC:\\ProgramData\\Adobe\\manager.vbs\r\nC:\\ProgramData\\Adobe\\sysman.vbs\r\nC:\\ProgramData\\Adobe\\news_adobe.vbs\r\nC:\\ProgramData\\Adobe\\upgrade.vbs\r\nC:\\ProgramData\\Edge\\SrvMngrUpd.vbs\r\nC:\\ProgramData\\Edge\\intelog.vbs\r\nC:\\ProgramData\\Chrome\\ChromeSys.vbs\r\nSample VBCloud main module paths\r\nThe core functionality of the VBCloud module duplicates that of VBShower: both download and run PowerShell\r\nscripts with a payload, and then send the output to the C2. Unlike VBShower, however, VBCloud uses public\r\ncloud storage as the C2.\r\nSample VBCloud script\r\nThe VBCloud script does not contain any loops, and it is designed to execute only once. However, it gets triggered\r\nby a scheduled task every time the user logs into the system, which means it will run frequently. We’ve also seen\r\nvariants of the backdoor that executed their core functionality in a loop with a thirty-minute delay between\r\nrepetitions. These variants ran the script once via the \\Run registry branch when the system booted up for the first\r\ntime after being infected.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 15 of 22\n\nDecrypted and deobfuscated VBCloud script\r\nVBCloud does the following:\r\nCheck the availability of the kim.nl.tab.digital WebDav server by sending an HTTP MKCOL request to\r\ncreate the directories named “kmsobuqjquut” and “rwqdmpaohxns” with the credentials hardcoded in the\r\nscript. If the server is unavailable, the script switches to the backup address “webdav.mydrive.ch”.\r\nIf the WebDav server is available, create a file in the “kmsobuqjquut” directory on that server via an HTTP\r\nPUT The file name follows the pattern ddmmyy_HHMMSS, and the extension is randomly selected from\r\namong TXT, RTF, DOC, PPT, MDS, PNG and JPEG. We have seen files named “070824_001919.txt” and\r\n“250724_002919.doc”. Files like these contain the username and MAC addresses of network adapters,\r\neffectively confirming that the script is active on the infected system.\r\nThe Trojan then attempts to download one of three files from the “rwqdmpaohxns” directory:\r\n“criclyqnduv.txt”, “jhflenoqelp.txt” or “avnwiabihik.txt”. If VBCloud successfully downloads the file, it\r\nimmediately deletes it from the cloud with an HTTP DELETE request, and then executes it in the current\r\nprocess via the Execute() function after decrypting the contents. As in the case of PowerShower, the\r\npayload can be made up of various scripts.\r\nVBCloud::Payload (1)\r\nThis script is designed to send information about disks to the C2.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 16 of 22\n\nVBCloud::Payload (2)\r\nThis script is designed to exfiltrate files and documents. It iterates through local drives and removable media in\r\nsearch of files with the extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF and RAR. The script checks the\r\nsize of any files it finds to match this condition and collects those between 1000 and 3,000,000 bytes to exfiltrate.\r\nThe files must have been modified no more than 72 hours before the current date. The script then copies matching\r\nfiles to a ZIP archive it creates, named “mapping.zip”. It also adds a file with metadata such as the created time,\r\nmodified time, last opened time, and full path to the file. Upon exceeding 4,000,000 bytes, an archive is uploaded\r\nto cloud storage and deleted from the system. It is replaced with a new one, and the file harvesting process\r\ncontinues. The archive is uploaded in RC4-encrypted form, with a name that follows the template “%d_13134”\r\nand one of the following extensions chosen at random: MP3, AAC, MP2, FLAC, WAV, ALAC, MQA, OGG,\r\nDSD, WMA, and MP4.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 17 of 22\n\nPart of the file exfiltration script\r\nVBCloud::Payload (3)\r\nThis script gets various system information such as the OS version, RAM size, manufacturer, computer name,\r\nusername and domain name.\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 18 of 22\n\nVBCloud::Payload (4)\r\nScript to exfiltrate Telegram files:\r\nThe file D877F783D5D3EF8Cs contains the user ID and encryption key used for interaction between the\r\ndesktop client and Telegram servers.\r\nThe file key_datas contains local encryption keys.\r\nPart of the file exfiltration script\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 19 of 22\n\nGeography of attacked users\r\nSeveral dozen users were attacked in 2024, 82% of these in Russia. Isolated attacks were recorded in Belarus,\r\nCanada, Moldova, Israel, Kyrgyzstan, Vietnam and Turkey.\r\nConclusion\r\nWe continue to monitor activity linked to Cloud Atlas. In a new campaign that began in August 2023, the attackers\r\nmade changes to their familiar toolkit. This time, instead of an executable library to load malware modules, the\r\ngroup relied on the VBShower backdoor as the loader. Besides, they are now using a new module in their attacks:\r\nVBCloud. This collects and uploads system information and other data. These actions employ a variety of\r\nPowerShell scripts that enable the attackers to perform a range of tasks on the victim’s system. VBCloud uses\r\npublic cloud storage as a C2 server.\r\nThe infection chain consists of several stages and ultimately aims to steal data from victims’ devices. We’ve\r\nobserved that, similar to past Cloud Atlas campaigns, phishing emails continue to be the initial access point. This\r\nunderscores the still-pressing need for organizations to strengthen their infrastructure defenses and improve\r\nemployee awareness to ward off these kinds of attacks.\r\nIf you want to try analyzing the sample from earlier Cloud Atlas attacks and other infamous malware samples\r\nyourself, you can take the Advanced Malware Analysis Techniques course from Kaspersky GReAT.\r\nIndicators of compromise\r\nHTA file download domains\r\ncontent-protect[.]net\r\ncontrol-issue[.]net\r\noffice-confirm[.]com\r\nonesoftware[.]info\r\nserverop-parametrs[.]com\r\nweb-privacy[.]net\r\nnet-plugin[.]org\r\ntriger-working[.]com\r\nVBShower C2\r\nyandesks[.]net\r\nyandisk[.]info\r\nmirconnect[.]info\r\nsber-cloud[.]info\r\ngosportal[.]net\r\nriamir[.]net\r\nweb-wathapp[.]com\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 20 of 22\n\nPowerShower C2\r\nyandisk[.]info\r\nyandesktop[.]com\r\nweb-wathapp[.]com\r\nCloud repositories used by VBCloud\r\nwebdav.opendrive.com\r\nwebdav.mydrive.ch\r\nwebdav.yandex.ru\r\nkim.nl.tab.digital\r\nHTA MD5\r\n9D3557CC5C444FE5D73E4C7FE1872414\r\nCBA05E11CB9D1D71F0FA70ECD1AF2480\r\nCBFB691E95EE34A324F94ED1FF91BC23\r\n2D24044C0A5B9EBE4E01DED2BFC2B3A4\r\n88BE01F8C4A9F335D33FA7C384CA4666\r\nA30319545FDA9E2DA0532746C09130EB\r\nPowerShower MD5\r\n15FD46AC775A30B1963281A037A771B1\r\n31B01387CA60A1771349653A3C6AD8CA\r\n389BC3B9417D893F3324221141EDEA00\r\nVBShower::Launcher MD5\r\nAA8DA99D5623FAFED356A14E59ACBB90\r\n016B6A035B44C1AD10D070ABCDFE2F66\r\n160A65E830EB97AAE6E1305019213558\r\n184CF8660AF7538CD1CD2559A10B6622\r\n1AF1F9434E4623B7046CF6360E0A520E\r\n1BFB9CBA8AA23A401925D356B2F6E7ED\r\n21585D5881CC11ED1F615FDB2D7ACC11\r\n242E86E658FE6AB6E4C81B68162B3001\r\n2FE7E75BC599B1C68B87CF2A3E7AA51F\r\n36DD0FBD19899F0B23ADE5A1DE3C2FEC\r\n389F6E6FD9DCC84C6E944DC387087A56\r\n3A54ACD967DD104522BA7D66F4D86544\r\n3F12BF4A8D82654861B5B5993C012BFA\r\n49F8ED13A8A13799A34CC999B195BF16\r\n4B96DC735B622A94D3C74C0BE9858853\r\nF45008BF1889A8655D32A0EB93B8ACDD\r\nVBCloud MD5\r\n0139F32A523D453BC338A67CA45C224D\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 21 of 22\n\n01DB58A1D0EC85ADC13290A6290AD9D6\r\n0F37E1298E4C82098DC9318C7E65F9D2\r\n6FCEE9878216019C8DFA887075C5E68E\r\nD445D443ACE329FB244EDC3E5146313B\r\nF3F28018FB5108B516D802A038F90BDE\r\nSource: https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nhttps://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/" ], "report_names": [ "115103" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434021, "ts_updated_at": 1775792187, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe9f9e1a91b0cc6d57fdf9e314cd9649c3c59f2f.pdf", "text": "https://archive.orkl.eu/fe9f9e1a91b0cc6d57fdf9e314cd9649c3c59f2f.txt", "img": "https://archive.orkl.eu/fe9f9e1a91b0cc6d57fdf9e314cd9649c3c59f2f.jpg" } }