{"id":211,"date":"2025-12-19T10:00:52","date_gmt":"2025-12-19T10:00:52","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/"},"modified":"2025-12-19T10:00:52","modified_gmt":"2025-12-19T10:00:52","slug":"cloud-atlas-activity-in-the-first-half-of-2025-what-changed","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/","title":{"rendered":"Cloud Atlas activity in the first half of 2025: what changed"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<p>Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process (<a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2018-0802\" target=\"_blank\" rel=\"noopener\">CVE-2018-0802<\/a>) to download and execute malicious code. In this report, we describe the infection chain and tools that the group used in the first half of 2025, with particular focus on previously undescribed implants.<\/p>\n<p>Additional information about this threat, including indicators of compromise, is available to customers of <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/apt-intelligence-reporting?icid=gl_sl_post-link-apt-reports_sm-team_c6929615b5894647\" target=\"_blank\" rel=\"noopener\">the Kaspersky Intelligence Reporting Service<\/a>. Contact: <a href=\"mailto:intelreports@kaspersky.com\" target=\"_blank\" rel=\"noopener\">intelreports@kaspersky.com<\/a>.<\/p>\n<h2 id=\"technical-details\">Technical details<\/h2>\n<h3 id=\"initial-infection\">Initial infection<\/h3>\n<p>The starting point is typically a phishing email with a malicious DOC(X) attachment. When the document is opened, a malicious template is downloaded from a remote server. The document has the form of an RTF file containing an exploit for the formula editor, which downloads and executes an HTML Application (HTA) file.<br \/>\nFpaylo\n<\/p>\n<div id=\"attachment_118518\" style=\"width: 459px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182127\/cloud-atlas1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-118518\" class=\"size-full wp-image-118518\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182127\/cloud-atlas1.png\" alt=\"Malicious template with the exploit loaded by Word when opening the document\" width=\"449\" height=\"256\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182127\/cloud-atlas1.png 449w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182127\/cloud-atlas1-300x171.png 300w\" sizes=\"(max-width: 449px) 100vw, 449px\"><\/a><\/p>\n<p id=\"caption-attachment-118518\" class=\"wp-caption-text\">Malicious template with the exploit loaded by Word when opening the document<\/p>\n<\/div>\n<p>We were unable to obtain the actual RTF template with the exploit. We assume that after a successful infection of the victim, the link to this file becomes inaccessible. In the given example, the malicious RTF file containing the exploit was downloaded from the URL <code>hxxps:\/\/securemodem[.]com?tzak.html_anacid<\/code>.<\/p>\n<p>Template files, like HTA files, are located on servers controlled by the group, and their downloading is limited both in time and by the IP addresses of the victims. The malicious HTA file extracts and creates several VBS files on disk that are parts of the VBShower backdoor. VBShower then downloads and installs other backdoors: PowerShower, VBCloud, and CloudAtlas.<\/p>\n<p>This infection chain largely follows the one <a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/\" target=\"_blank\" rel=\"noopener\">previously seen in Cloud Atlas\u2019 2024 attacks<\/a>. The currently employed chain is presented below:<\/p>\n<div id=\"attachment_118519\" style=\"width: 1674px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118519\" class=\"size-full wp-image-118519\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2.png\" alt=\"Malware execution flow\" width=\"1664\" height=\"1473\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2.png 1664w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-300x266.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-1024x906.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-768x680.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-1536x1360.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-395x350.png 395w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-740x655.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-316x280.png 316w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182408\/cloud-atlas2-800x708.png 800w\" sizes=\"auto, (max-width: 1664px) 100vw, 1664px\"><\/a><\/p>\n<p id=\"caption-attachment-118519\" class=\"wp-caption-text\">Malware execution flow<\/p>\n<\/div>\n<p>Several implants remain the same, with insignificant changes in file names, and so on. You can find more details in our previous article on the following implants:<\/p>\n<ul>\n<li><a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#hta\" target=\"_blank\" rel=\"noopener\">HTA file<\/a><\/li>\n<li><a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#vbshowerlauncher\" target=\"_blank\" rel=\"noopener\">VBShower::Launcher<\/a><\/li>\n<li><a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#vbshowercleaner\" target=\"_blank\" rel=\"noopener\">VBShower::Cleaner<\/a><\/li>\n<\/ul>\n<p>In this research, we\u2019ll focus on new and updated components.<\/p>\n<h3 id=\"vbshower\">VBShower<\/h3>\n<h4 id=\"vbshowerbackdoor\">VBShower::Backdoor<\/h4>\n<p>Compared to <a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#vbshowerbackdoor\" target=\"_blank\" rel=\"noopener\">the previous version<\/a>, the backdoor runs additional downloaded VB scripts in the current context, regardless of the size. A previous modification of this script checked the size of the payload, and if it exceeded 1 MB, instead of executing it in the current context, the backdoor wrote it to disk and used the <code>wscript<\/code> utility to launch it.<\/p>\n<h4 id=\"vbshowerpayload-1\">VBShower::Payload (1)<\/h4>\n<p>The script collects information about running processes, including their creation time, caption, and command line. The collected information is encrypted and sent to the C2 server by the parent script (VBShower::Backdoor) via the <code>v_buff<\/code> variable.<\/p>\n<div id=\"attachment_118520\" style=\"width: 771px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182619\/cloud-atlas3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118520\" class=\"size-full wp-image-118520\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182619\/cloud-atlas3.png\" alt=\"VBShower::Payload (1)\" width=\"761\" height=\"234\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182619\/cloud-atlas3.png 761w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182619\/cloud-atlas3-300x92.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18182619\/cloud-atlas3-740x228.png 740w\" sizes=\"auto, (max-width: 761px) 100vw, 761px\"><\/a><\/p>\n<p id=\"caption-attachment-118520\" class=\"wp-caption-text\">VBShower::Payload (1)<\/p>\n<\/div>\n<h4 id=\"vbshowerpayload-2\">VBShower::Payload (2)<\/h4>\n<p>The script is used to install the VBCloud implant. First, it downloads a ZIP archive from the hardcoded URL and unpacks it into the <code>%Public%<\/code> directory. Then, it creates a scheduler task named \u201cMicrosoftEdgeUpdateTask\u201d to run the following command line:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">wscript.exe \/B %Public%LibrariesMicrosoftEdgeUpdate.vbs<\/pre>\n<p>\nIt renames the unzipped file <code>%Public%Librariesv.log<\/code> to <code>%Public%LibrariesMicrosoftEdgeUpdate.vbs<\/code>, iterates through the files in the <code>%Public%Libraries<\/code> directory, and collects information about the filenames and sizes. The data, in the form of a buffer, is collected in the <code>v_buff<\/code> variable. The malware gets information about the task by executing the following command line:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">cmd.exe \/c schtasks \/query \/v \/fo CSV \/tn MicrosoftEdgeUpdateTask<\/pre>\n<p>\nThe specified command line is executed, with the output redirected to the TMP file. Both the TMP file and the content of the <code>v_buff<\/code> variable will be sent to the C2 server by the parent script (VBShower::Backdoor).<\/p>\n<p>Here is an example of the information present in the <code>v_buff<\/code> variable:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">Libraries:\r\ndesktop.ini-175|\r\nMicrosoftEdgeUpdate.vbs-2299|\r\nRecordedTV.library-ms-999|\r\nupgrade.mds-32840|\r\nv.log-2299|<\/pre>\n<p>\nThe file <code>MicrosoftEdgeUpdate.vbs<\/code> is a launcher for VBCloud, which reads the encrypted body of the backdoor from the file <code>upgrade.mds<\/code>, decrypts it, and executes it.<\/p>\n<div id=\"attachment_118521\" style=\"width: 1329px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118521\" class=\"size-full wp-image-118521\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4.png\" alt=\"VBShower::Payload (2) used to install VBCloud\" width=\"1319\" height=\"1514\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4.png 1319w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4-261x300.png 261w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4-892x1024.png 892w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4-768x882.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4-305x350.png 305w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4-740x849.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4-244x280.png 244w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183219\/cloud-atlas4-784x900.png 784w\" sizes=\"auto, (max-width: 1319px) 100vw, 1319px\"><\/a><\/p>\n<p id=\"caption-attachment-118521\" class=\"wp-caption-text\">VBShower::Payload (2) used to install VBCloud<\/p>\n<\/div>\n<p>Almost the same script is used to install the CloudAtlas backdoor on an infected system. The script only downloads and unpacks the ZIP archive to <code>\"%LOCALAPPDATA%\"<\/code>, and sends information about the contents of the directories <code>\"%LOCALAPPDATA%vlcpluginsaccess\"<\/code> and <code>\"%LOCALAPPDATA%vlc\"<\/code> as output.<\/p>\n<p>In this case, the file renaming operation is not applied, and there is no code for creating a scheduler task.<\/p>\n<p>Here is an example of information to be sent to the C2 server:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">vlc:\r\na.xml-969608|\r\nb.xml-592960|\r\nd.xml-2680200|\r\ne.xml-185224||\r\naccess:\r\nc.xml-5951488|<\/pre>\n<p>\nIn fact, <code>a.xml<\/code>, <code>d.xml<\/code>, and <code>e.xml<\/code> are the executable file and libraries, respectively, of VLC Media Player. The <code>c.xml<\/code> file is a malicious library used in a DLL hijacking attack, where VLC acts as a loader, and the <code>b.xml<\/code> file is an encrypted body of the CloudAtlas backdoor, read from disk by the malicious library, decrypted, and executed.<\/p>\n<div id=\"attachment_118522\" style=\"width: 1049px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118522\" class=\"size-full wp-image-118522\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5.png\" alt=\"VBShower::Payload (2) used to install CloudAtlas\" width=\"1039\" height=\"1041\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5.png 1039w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-300x300.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-1022x1024.png 1022w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-150x150.png 150w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-768x769.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-349x350.png 349w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-740x741.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-279x280.png 279w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-800x802.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183558\/cloud-atlas5-50x50.png 50w\" sizes=\"auto, (max-width: 1039px) 100vw, 1039px\"><\/a><\/p>\n<p id=\"caption-attachment-118522\" class=\"wp-caption-text\">VBShower::Payload (2) used to install CloudAtlas<\/p>\n<\/div>\n<h4 id=\"vbshowerpayload-3\">VBShower::Payload (3)<\/h4>\n<p>This script is the next component for installing CloudAtlas. It is downloaded by VBShower from the C2 server as a separate file and executed after the VBShower::Payload (2) script. The script renames the XML files unpacked by VBShower::Payload (2) from the archive to the corresponding executables and libraries, and also renames the file containing the encrypted backdoor body.<\/p>\n<p>These files are copied by VBShower::Payload (3) to the following paths:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>File<\/strong><\/td>\n<td><strong>Path<\/strong><\/td>\n<\/tr>\n<tr>\n<td>a.xml<\/td>\n<td>%LOCALAPPDATA%vlcvlc.exe<\/td>\n<\/tr>\n<tr>\n<td>b.xml<\/td>\n<td>%LOCALAPPDATA%vlcchambranle<\/td>\n<\/tr>\n<tr>\n<td>c.xml<\/td>\n<td>%LOCALAPPDATA%vlcpluginsaccesslibvlc_plugin.dll<\/td>\n<\/tr>\n<tr>\n<td>d.xml<\/td>\n<td>%LOCALAPPDATA%vlclibvlccore.dll<\/td>\n<\/tr>\n<tr>\n<td>e.xml<\/td>\n<td>%LOCALAPPDATA%vlclibvlc.dll<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Additionally, VBShower::Payload (3) creates a scheduler task to execute the command line: <code>\"%LOCALAPPDATA%vlcvlc.exe\"<\/code>. The script then iterates through the files in the <code>\"%LOCALAPPDATA%vlc\"<\/code> and <code>\"%LOCALAPPDATA%vlcpluginsaccess\"<\/code> directories, collecting information about filenames and sizes. The data, in the form of a buffer, is collected in the <code>v_buff<\/code> variable. The script also retrieves information about the task by executing the following command line, with the output redirected to a TMP file:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">cmd.exe \/c schtasks \/query \/v \/fo CSV \/tn MicrosoftVLCTaskMachine<\/pre>\n<p>\nBoth the TMP file and the content of the <code>v_buff<\/code> variable will be sent to the C2 server by the parent script (VBShower::Backdoor).<\/p>\n<div id=\"attachment_118523\" style=\"width: 822px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118523\" class=\"size-full wp-image-118523\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6.png\" alt=\"VBShower::Payload (3) used to install CloudAtlas\" width=\"812\" height=\"1389\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6.png 812w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6-175x300.png 175w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6-599x1024.png 599w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6-768x1314.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6-205x350.png 205w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6-585x1000.png 585w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6-164x280.png 164w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18183835\/cloud-atlas6-526x900.png 526w\" sizes=\"auto, (max-width: 812px) 100vw, 812px\"><\/a><\/p>\n<p id=\"caption-attachment-118523\" class=\"wp-caption-text\">VBShower::Payload (3) used to install CloudAtlas<\/p>\n<\/div>\n<h4 id=\"vbshowerpayload-4\">VBShower::Payload (4)<\/h4>\n<p>This script was previously described as <a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#VBShower_Payload_1\" target=\"_blank\" rel=\"noopener\">VBShower::Payload (1)<\/a>.<\/p>\n<h4 id=\"vbshowerpayload-5\">VBShower::Payload (5)<\/h4>\n<p>This script is used to check access to various cloud services and executed before installing VBCloud or CloudAtlas. It consistently accesses the URLs of cloud services, and the received HTTP responses are saved to the <code>v_buff<\/code> variable for subsequent sending to the C2 server. A truncated example of the information sent to the C2 server:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">GET-https:\/\/webdav.yandex.ru|\r\n200|\r\n&lt;!DOCTYPE html&gt;&lt;html lang=\"ru\" dir=\"ltr\" class=\"desktop\"&gt;&lt;head&gt;&lt;base href=\"...<\/pre>\n<\/p>\n<div id=\"attachment_118524\" style=\"width: 1046px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118524\" class=\"size-full wp-image-118524\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7.png\" alt=\"VBShower::Payload (5)\" width=\"1036\" height=\"987\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7.png 1036w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7-300x286.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7-1024x976.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7-768x732.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7-367x350.png 367w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7-740x705.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7-294x280.png 294w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184014\/cloud-atlas7-800x762.png 800w\" sizes=\"auto, (max-width: 1036px) 100vw, 1036px\"><\/a><\/p>\n<p id=\"caption-attachment-118524\" class=\"wp-caption-text\">VBShower::Payload (5)<\/p>\n<\/div>\n<h4 id=\"vbshowerpayload-6\">VBShower::Payload (6)<\/h4>\n<p>This script was previously described as <a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#VBShower_Payload_2\" target=\"_blank\" rel=\"noopener\">VBShower::Payload (2)<\/a>.<\/p>\n<h4 id=\"vbshowerpayload-7\">VBShower::Payload (7)<\/h4>\n<p>This is a small script for checking the accessibility of PowerShower\u2019s C2 from an infected system.<\/p>\n<div id=\"attachment_118525\" style=\"width: 1045px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118525\" class=\"size-full wp-image-118525\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8.png\" alt=\"VBShower::Payload (7)\" width=\"1035\" height=\"407\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8.png 1035w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8-300x118.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8-1024x403.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8-768x302.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8-890x350.png 890w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8-740x291.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8-712x280.png 712w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184115\/cloud-atlas8-800x315.png 800w\" sizes=\"auto, (max-width: 1035px) 100vw, 1035px\"><\/a><\/p>\n<p id=\"caption-attachment-118525\" class=\"wp-caption-text\">VBShower::Payload (7)<\/p>\n<\/div>\n<h4 id=\"vbshowerpayload-8\">VBShower::Payload (8)<\/h4>\n<p>This script is used to install PowerShower, another backdoor known to be employed by Cloud Atlas. The script does so by performing the following steps in sequence:<\/p>\n<ol>\n<li>Creates registry keys to make the console window appear off-screen, effectively hiding it:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">\"HKCUConsole%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe\"::\"WindowPosition\"::5122\r\n\"HKCUUConsoletaskeng.exe\"::\"WindowPosition\"::538126692<\/pre>\n<\/li>\n<li>Creates a \u201cMicrosoftAdobeUpdateTaskMachine\u201d scheduler task to execute the command line:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">powershell.exe -ep bypass -w 01 %APPDATA%AdobeAdobeMon.ps1<\/pre>\n<\/li>\n<li>Decrypts the contents of the embedded data block with XOR and saves the resulting script to the file <code>\"%APPDATA%Adobep.txt\"<\/code>. Then, renames the file <code>\"p.txt\"<\/code> to <code>\"AdobeMon.ps1\"<\/code>.<\/li>\n<li>Collects information about file names and sizes in the path <code>\"%APPDATA%Adobe\"<\/code>. Gets information about the task by executing the following command line, with the output redirected to a TMP file:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">cmd.exe \/c schtasks \/query \/v \/fo LIST \/tn MicrosoftAdobeUpdateTaskMachine<\/pre>\n<\/li>\n<\/ol>\n<div id=\"attachment_118526\" style=\"width: 988px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118526\" class=\"size-full wp-image-118526\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9.png\" alt=\"VBShower::Payload (8) used to install PowerShower\" width=\"978\" height=\"1517\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9.png 978w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9-193x300.png 193w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9-660x1024.png 660w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9-768x1191.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9-226x350.png 226w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9-645x1000.png 645w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9-181x280.png 181w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184552\/cloud-atlas9-580x900.png 580w\" sizes=\"auto, (max-width: 978px) 100vw, 978px\"><\/a><\/p>\n<p id=\"caption-attachment-118526\" class=\"wp-caption-text\">VBShower::Payload (8) used to install PowerShower<\/p>\n<\/div>\n<p>The decrypted PowerShell script is disguised as one of the standard modules, but at the end of the script, there is a command to launch the PowerShell interpreter with another script encoded in Base64.<\/p>\n<div id=\"attachment_118527\" style=\"width: 696px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184641\/cloud-atlas10.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118527\" class=\"size-full wp-image-118527\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184641\/cloud-atlas10.png\" alt=\"Content of AdobeMon.ps1 (PowerShower)\" width=\"686\" height=\"954\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184641\/cloud-atlas10.png 686w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184641\/cloud-atlas10-216x300.png 216w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184641\/cloud-atlas10-252x350.png 252w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184641\/cloud-atlas10-201x280.png 201w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184641\/cloud-atlas10-647x900.png 647w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\"><\/a><\/p>\n<p id=\"caption-attachment-118527\" class=\"wp-caption-text\">Content of AdobeMon.ps1 (PowerShower)<\/p>\n<\/div>\n<h4 id=\"vbshowerpayload-9\">VBShower::Payload (9)<\/h4>\n<p>This is a small script for collecting information about the system proxy settings.<\/p>\n<div id=\"attachment_118528\" style=\"width: 730px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184723\/cloud-atlas11.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118528\" class=\"size-full wp-image-118528\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184723\/cloud-atlas11.png\" alt=\"VBShower::Payload (9)\" width=\"720\" height=\"152\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184723\/cloud-atlas11.png 720w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184723\/cloud-atlas11-300x63.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\"><\/a><\/p>\n<p id=\"caption-attachment-118528\" class=\"wp-caption-text\">VBShower::Payload (9)<\/p>\n<\/div>\n<h3 id=\"vbcloud\">VBCloud<\/h3>\n<p>On an infected system, VBCloud is represented by two files: a VB script (VBCloud::Launcher) and an encrypted main body (VBCloud::Backdoor). In the described case, the launcher is located in the file <code>MicrosoftEdgeUpdate.vbs<\/code>, and the payload \u2014 in <code>upgrade.mds<\/code>.<\/p>\n<h4 id=\"vbcloudlauncher\">VBCloud::Launcher<\/h4>\n<p>The launcher script reads the contents of the <code>upgrade.mds<\/code> file, decodes characters delimited with \u201c%H\u201d, uses the RC4 stream encryption algorithm with a key built into the script to decrypt it, and transfers control to the decrypted content. It is worth noting that the implementation of RC4 uses PRGA (pseudo-random generation algorithm), which is quite rare, since most malware implementations of this algorithm skip this step.<\/p>\n<div id=\"attachment_118529\" style=\"width: 1162px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118529\" class=\"size-full wp-image-118529\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12.png\" alt=\"VBCloud::Launcher\" width=\"1152\" height=\"958\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12.png 1152w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12-300x249.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12-1024x852.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12-768x639.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12-421x350.png 421w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12-740x615.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12-337x280.png 337w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18184955\/cloud-atlas12-800x665.png 800w\" sizes=\"auto, (max-width: 1152px) 100vw, 1152px\"><\/a><\/p>\n<p id=\"caption-attachment-118529\" class=\"wp-caption-text\">VBCloud::Launcher<\/p>\n<\/div>\n<h4 id=\"vbcloudbackdoor\">VBCloud::Backdoor<\/h4>\n<p>The backdoor performs several actions in a loop to eventually download and execute additional malicious scripts, as <a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#VBCloud_Backdoor\" target=\"_blank\" rel=\"noopener\">described in the previous research<\/a>.<\/p>\n<h4 id=\"vbcloudpayload-filegrabber\">VBCloud::Payload (FileGrabber)<\/h4>\n<p>Unlike VBShower, which uses a global variable to save its output or a temporary file to be sent to the C2 server, each VBCloud payload communicates with the C2 server independently. One of the most commonly used payloads for the VBCloud backdoor is FileGrabber. The script exfiltrates files and documents from the target system <a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#VBCloud_Payload_2\" target=\"_blank\" rel=\"noopener\">as described before<\/a>.<\/p>\n<p>The FileGrabber payload has the following limitations when scanning for files:<\/p>\n<ul>\n<li>It ignores the following paths:\n<ul>\n<li>Program Files<\/li>\n<li>Program Files (x86)<\/li>\n<li>%SystemRoot%<\/li>\n<\/ul>\n<\/li>\n<li>The file size for archiving must be between 1,000 and 3,000,000 bytes.<\/li>\n<li>The file\u2019s last modification date must be less than 30 days before the start of the scan.<\/li>\n<li>Files containing the following strings in their names are ignored:\n<ul>\n<li>\u201cintermediate.txt\u201d<\/li>\n<li>\u201cFlightingLogging.txt\u201d<\/li>\n<li>\u201clog.txt\u201d<\/li>\n<li>\u201cthirdpartynotices\u201d<\/li>\n<li>\u201cThirdPartyNotices\u201d<\/li>\n<li>\u201ceasylist.txt\u201d<\/li>\n<li>\u201cacroNGLLog.txt\u201d<\/li>\n<li>\u201cLICENSE.txt\u201d<\/li>\n<li>\u201csignature.txt\u201d<\/li>\n<li>\u201cAlternateServices.txt\u201d<\/li>\n<li>\u201cscanwia.txt\u201d<\/li>\n<li>\u201cscantwain.txt\u201d<\/li>\n<li>\u201cSiteSecurityServiceState.txt\u201d<\/li>\n<li>\u201cserviceworker.txt\u201d<\/li>\n<li>\u201cSettingsCache.txt\u201d<\/li>\n<li>\u201cNisLog.txt\u201d<\/li>\n<li>\u201cAppCache\u201d<\/li>\n<li>\u201cbackupTest\u201d<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div id=\"attachment_118530\" style=\"width: 1433px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118530\" class=\"size-full wp-image-118530\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13.png\" alt=\"Part of VBCloud::Payload (FileGrabber)\" width=\"1423\" height=\"1445\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13.png 1423w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-295x300.png 295w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-1008x1024.png 1008w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-768x780.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-345x350.png 345w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-740x751.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-276x280.png 276w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-800x812.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185456\/cloud-atlas13-50x50.png 50w\" sizes=\"auto, (max-width: 1423px) 100vw, 1423px\"><\/a><\/p>\n<p id=\"caption-attachment-118530\" class=\"wp-caption-text\">Part of VBCloud::Payload (FileGrabber)<\/p>\n<\/div>\n<h3 id=\"powershower\">PowerShower<\/h3>\n<p>As mentioned above, PowerShower is installed via one of the VBShower payloads. This script launches the PowerShell interpreter with another script encoded in Base64. Running in an infinite loop, it attempts to access the C2 server to retrieve an additional payload, which is a PowerShell script twice encoded with Base64. This payload is executed in the context of the backdoor, and the execution result is sent to the C2 server via an HTTP POST request.<\/p>\n<div id=\"attachment_118531\" style=\"width: 1349px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118531\" class=\"size-full wp-image-118531\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14.png\" alt=\"Decoded PowerShower script\" width=\"1339\" height=\"777\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14.png 1339w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14-300x174.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14-1024x594.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14-768x446.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14-603x350.png 603w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14-740x429.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14-483x280.png 483w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185552\/cloud-atlas14-800x464.png 800w\" sizes=\"auto, (max-width: 1339px) 100vw, 1339px\"><\/a><\/p>\n<p id=\"caption-attachment-118531\" class=\"wp-caption-text\">Decoded PowerShower script<\/p>\n<\/div>\n<p><a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#powershower\" target=\"_blank\" rel=\"noopener\">In previous versions of PowerShower<\/a>, the payload created a <code>sapp.xtx<\/code> temporary file to save its output, which was sent to the C2 server by the main body of the backdoor. No intermediate files are created anymore, and the result of execution is returned to the backdoor by a normal call to the <code>\"return\"<\/code> operator.<\/p>\n<h4 id=\"powershowerpayload-1\">PowerShower::Payload (1)<\/h4>\n<p>This script was previously described as <a href=\"https:\/\/securelist.com\/cloud-atlas-attacks-with-new-backdoor-vbcloud\/115103\/#PowerShower_Payload_2\" target=\"_blank\" rel=\"noopener\">PowerShower::Payload (2)<\/a>. This payload is unique to each victim.<\/p>\n<h4 id=\"powershowerpayload-2\">PowerShower::Payload (2)<\/h4>\n<p>This script is used for grabbing files with metadata from a network share.<\/p>\n<div id=\"attachment_118532\" style=\"width: 1006px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118532\" class=\"size-full wp-image-118532\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15.png\" alt=\"PowerShower::Payload (2)\" width=\"996\" height=\"164\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15.png 996w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15-300x49.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15-768x126.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15-990x164.png 990w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15-740x122.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18185758\/cloud-atlas15-800x132.png 800w\" sizes=\"auto, (max-width: 996px) 100vw, 996px\"><\/a><\/p>\n<p id=\"caption-attachment-118532\" class=\"wp-caption-text\">PowerShower::Payload (2)<\/p>\n<\/div>\n<h3 id=\"cloudatlas\">CloudAtlas<\/h3>\n<p>As described above, the CloudAtlas backdoor is installed via VBShower from a downloaded archive delivered through a DLL hijacking attack. The legitimate VLC application acts as a loader, accompanied by a malicious library that reads the encrypted payload from the file and transfers control to it. The malicious DLL is located at <code>\"%LOCALAPPDATA%vlcpluginsaccess\"<\/code>, while the file with the encrypted payload is located at <code>\"%LOCALAPPDATA%vlc\"<\/code>.<\/p>\n<p>When the malicious DLL gains control, it first extracts another DLL from itself, places it in the memory of the current process, and transfers control to it. The unpacked DLL uses a byte-by-byte XOR operation to decrypt the block with the loader configuration. The encrypted config immediately follows the key. The config specifies the name of the event that is created to prevent a duplicate payload launch. The config also contains the name of the file where the encrypted payload is located \u2014 <code>\"chambranle\"<\/code> in this case \u2014 and the decryption key itself.<\/p>\n<div id=\"attachment_118533\" style=\"width: 1138px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118533\" class=\"size-full wp-image-118533\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16.png\" alt=\"Encrypted and decrypted loader configuration\" width=\"1128\" height=\"505\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16.png 1128w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16-300x134.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16-1024x458.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16-768x344.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16-782x350.png 782w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16-740x331.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16-625x280.png 625w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190019\/cloud-atlas16-800x358.png 800w\" sizes=\"auto, (max-width: 1128px) 100vw, 1128px\"><\/a><\/p>\n<p id=\"caption-attachment-118533\" class=\"wp-caption-text\">Encrypted and decrypted loader configuration<\/p>\n<\/div>\n<p>The library reads the contents of the <code>\"chambranle\"<\/code> file with the payload, uses the key from the decrypted config and the IV located at the very end of the <code>\"chambranle\"<\/code> file to decrypt it with AES-256-CBC. The decrypted file is another DLL with its size and SHA-1 hash embedded at the end, added to verify that the DLL is decrypted correctly. The DLL decrypted from <code>\"chambranle\"<\/code> is the main body of the CloudAtlas backdoor, and control is transferred to it via one of the exported functions, specifically the one with ordinal 2.<\/p>\n<div id=\"attachment_118534\" style=\"width: 619px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190217\/cloud-atlas17.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118534\" class=\"size-full wp-image-118534\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190217\/cloud-atlas17.png\" alt=\"Main routine that processes the payload file\" width=\"609\" height=\"813\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190217\/cloud-atlas17.png 609w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190217\/cloud-atlas17-225x300.png 225w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190217\/cloud-atlas17-262x350.png 262w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190217\/cloud-atlas17-210x280.png 210w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\"><\/a><\/p>\n<p id=\"caption-attachment-118534\" class=\"wp-caption-text\">Main routine that processes the payload file<\/p>\n<\/div>\n<p>When the main body of the backdoor gains control, the first thing it does is decrypt its own configuration. Decryption is done in a similar way, using AES-256-CBC. The key for AES-256 is located before the configuration, and the IV is located right after it. The most useful information in the configuration file includes the URL of the cloud service, paths to directories for receiving payloads and unloading results, and credentials for the cloud service.<\/p>\n<div id=\"attachment_118535\" style=\"width: 696px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190315\/cloud-atlas18.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118535\" class=\"size-full wp-image-118535\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190315\/cloud-atlas18.png\" alt=\"Encrypted and decrypted CloudAtlas backdoor config\" width=\"686\" height=\"648\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190315\/cloud-atlas18.png 686w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190315\/cloud-atlas18-300x283.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190315\/cloud-atlas18-371x350.png 371w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190315\/cloud-atlas18-296x280.png 296w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\"><\/a><\/p>\n<p id=\"caption-attachment-118535\" class=\"wp-caption-text\">Encrypted and decrypted CloudAtlas backdoor config<\/p>\n<\/div>\n<p>Immediately after decrypting the configuration, the backdoor starts interacting with the C2 server, which is a cloud service, via WebDAV. First, the backdoor uses the MKCOL HTTP method to create two directories: one (<code>\"\/guessed\/intershop\/Euskalduns\/\"<\/code>) will regularly receive a beacon in the form of an encrypted file containing information about the system, time, user name, current command line, and volume information. The other directory (<code>\"\/cancrenate\/speciesists\/\"<\/code>) is used to retrieve payloads. The beacon file and payload files are AES-256-CBC encrypted with the key that was used for backdoor configuration decryption.<\/p>\n<div id=\"attachment_118536\" style=\"width: 496px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190455\/cloud-atlas19.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118536\" class=\"size-full wp-image-118536\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190455\/cloud-atlas19.png\" alt=\"HTTP requests of the CloudAtlas backdoor\" width=\"486\" height=\"560\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190455\/cloud-atlas19.png 486w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190455\/cloud-atlas19-260x300.png 260w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190455\/cloud-atlas19-304x350.png 304w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190455\/cloud-atlas19-243x280.png 243w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\"><\/a><\/p>\n<p id=\"caption-attachment-118536\" class=\"wp-caption-text\">HTTP requests of the CloudAtlas backdoor<\/p>\n<\/div>\n<p>The backdoor uses the HTTP PROPFIND method to retrieve the list of files. Each of these files will be subsequently downloaded, deleted from the cloud service, decrypted, and executed.<\/p>\n<div id=\"attachment_118537\" style=\"width: 494px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190549\/cloud-atlas20.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118537\" class=\"size-full wp-image-118537\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190549\/cloud-atlas20.png\" alt=\"HTTP requests from the CloudAtlas backdoor\" width=\"484\" height=\"575\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190549\/cloud-atlas20.png 484w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190549\/cloud-atlas20-253x300.png 253w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190549\/cloud-atlas20-168x200.png 168w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190549\/cloud-atlas20-295x350.png 295w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190549\/cloud-atlas20-236x280.png 236w\" sizes=\"auto, (max-width: 484px) 100vw, 484px\"><\/a><\/p>\n<p id=\"caption-attachment-118537\" class=\"wp-caption-text\">HTTP requests from the CloudAtlas backdoor<\/p>\n<\/div>\n<p>The payload consists of data with a binary block containing a command number and arguments at the beginning, followed by an executable plugin in the form of a DLL. The structure of the arguments depends on the type of command. After the plugin is loaded into memory and configured, the backdoor calls the exported function with ordinal 1, passing several arguments: a pointer to the backdoor function that implements sending files to the cloud service, a pointer to the decrypted backdoor configuration, and a pointer to the binary block with the command and arguments from the beginning of the payload.<\/p>\n<div id=\"attachment_118538\" style=\"width: 772px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190634\/cloud-atlas21.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118538\" class=\"size-full wp-image-118538\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190634\/cloud-atlas21.png\" alt=\"Plugin setup and execution routine\" width=\"762\" height=\"659\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190634\/cloud-atlas21.png 762w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190634\/cloud-atlas21-300x259.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190634\/cloud-atlas21-405x350.png 405w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190634\/cloud-atlas21-740x640.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190634\/cloud-atlas21-324x280.png 324w\" sizes=\"auto, (max-width: 762px) 100vw, 762px\"><\/a><\/p>\n<p id=\"caption-attachment-118538\" class=\"wp-caption-text\">Plugin setup and execution routine<\/p>\n<\/div>\n<p>Before calling the plugin function, the backdoor saves the path to the current directory and restores it after the function is executed. Additionally, after execution, the plugin is removed from memory.<\/p>\n<h4 id=\"cloudatlasplugin-filegrabber\">CloudAtlas::Plugin (FileGrabber)<\/h4>\n<p>FileGrabber is the most commonly used plugin. As the name suggests, it is designed to steal files from an infected system. Depending on the command block transmitted, it is capable of:<\/p>\n<ul>\n<li>Stealing files from all local disks<\/li>\n<li>Stealing files from the specified removable media<\/li>\n<li>Stealing files from specified folders<\/li>\n<li>Using the selected username and password from the command block to mount network resources and then steal files from them<\/li>\n<\/ul>\n<p>For each detected file, a series of rules are generated based on the conditions passed within the command block, including:<\/p>\n<ul>\n<li>Checking for minimum and maximum file size<\/li>\n<li>Checking the file\u2019s last modification time<\/li>\n<li>Checking the file path for pattern exclusions. If a string pattern is found in the full path to a file, the file is ignored<\/li>\n<li>Checking the file name or extension against a list of patterns<\/li>\n<\/ul>\n<div id=\"attachment_118539\" style=\"width: 723px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118539\" class=\"size-full wp-image-118539\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22.png\" alt=\"Resource scanning\" width=\"713\" height=\"1006\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22.png 713w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22-213x300.png 213w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22-248x350.png 248w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22-709x1000.png 709w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22-198x280.png 198w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190733\/cloud-atlas22-638x900.png 638w\" sizes=\"auto, (max-width: 713px) 100vw, 713px\"><\/a><\/p>\n<p id=\"caption-attachment-118539\" class=\"wp-caption-text\">Resource scanning<\/p>\n<\/div>\n<p>If all conditions match, the file is sent to the C2 server, along with its metadata, including attributes, creation time, last access time, last modification time, size, full path to the file, and SHA-1 of the file contents. Additionally, if a special flag is set in one of the rule fields, the file will be deleted after a copy is sent to the C2 server. There is also a limit on the total amount of data sent, and if this limit is exceeded, scanning of the resource stops.<\/p>\n<div id=\"attachment_118540\" style=\"width: 544px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190907\/cloud-atlas23.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118540\" class=\"size-full wp-image-118540\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190907\/cloud-atlas23.png\" alt=\"Generating data for sending to C2\" width=\"534\" height=\"680\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190907\/cloud-atlas23.png 534w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190907\/cloud-atlas23-236x300.png 236w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190907\/cloud-atlas23-275x350.png 275w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18190907\/cloud-atlas23-220x280.png 220w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\"><\/a><\/p>\n<p id=\"caption-attachment-118540\" class=\"wp-caption-text\">Generating data for sending to C2<\/p>\n<\/div>\n<h4 id=\"cloudatlasplugin-common\">CloudAtlas::Plugin (Common)<\/h4>\n<p>This is a general-purpose plugin, which parses the transferred block, splits it into commands, and executes them. Each command has its own ID, ranging from 0 to 6. The list of commands is presented below.<\/p>\n<ol>\n<li><strong>Command ID 0: <\/strong>Creates, sets and closes named events.<\/li>\n<li><strong>Command ID 1: <\/strong>Deletes the selected list of files.<\/li>\n<li><strong>Command ID 2: <\/strong>Drops a file on disk with content and a path selected in the command block arguments.<\/li>\n<li><strong>Command ID 3: <\/strong>Capable of performing several operations together or independently, including:\n<ol type=\"a\">\n<li>Dropping several files on disk with content and paths selected in the command block arguments<\/li>\n<li>Dropping and executing a file at a specified path with selected parameters. This operation supports three types of launch:<\/li>\n<\/ol>\n<ul>\n<li>Using the WinExec function<\/li>\n<li>Using the ShellExecuteW function<\/li>\n<li>Using the CreateProcessWithLogonW function, which requires that the user\u2019s credentials be passed within the command block to launch the process on their behalf<\/li>\n<\/ul>\n<\/li>\n<li><strong>Command ID 4:<\/strong> Uses the StdRegProv COM interface to perform registry manipulations, supporting key creation, value deletion, and value setting (both DWORD and string values).<\/li>\n<li><strong>Command ID 5:<\/strong> Calls the ExitProcess function.<\/li>\n<li><strong>Command ID 6:<\/strong> Uses the credentials passed within the command block to connect a network resource, drops a file to the remote resource under the name specified within the command block, creates and runs a VB script on the local system to execute the dropped file on the remote system. The VB script is created at <code>\"%APPDATA%ntsystmp.vbs\"<\/code>. The path to launch the file dropped on the remote system is passed to the launched VB script as an argument.<\/li>\n<\/ol>\n<div id=\"attachment_118541\" style=\"width: 680px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191007\/cloud-atlas24.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118541\" class=\"size-full wp-image-118541\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191007\/cloud-atlas24.png\" alt=\"Content of the dropped VBS\" width=\"670\" height=\"255\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191007\/cloud-atlas24.png 670w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191007\/cloud-atlas24-300x114.png 300w\" sizes=\"auto, (max-width: 670px) 100vw, 670px\"><\/a><\/p>\n<p id=\"caption-attachment-118541\" class=\"wp-caption-text\">Content of the dropped VBS<\/p>\n<\/div>\n<h4 id=\"cloudatlasplugin-passwordstealer\">CloudAtlas::Plugin (PasswordStealer)<\/h4>\n<p>This plugin is used to steal cookies and credentials from browsers. This is an extended version of the Common Plugin, which is used for more specific purposes. It can also drop, launch, and delete files, but its primary function is to drop files belonging to the \u201cChrome App-Bound Encryption Decryption\u201d open-source project onto the disk, and run the utility to steal cookies and passwords from Chromium-based browsers. After launching the utility, several files (<code>\"cookies.txt\"<\/code> and <code>\"passwords.txt\"<\/code>) containing the extracted browser data are created on disk. The plugin then reads JSON data from the selected files, parses the data, and sends the extracted information to the C2 server.<\/p>\n<div id=\"attachment_118542\" style=\"width: 484px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191504\/cloud-atlas25.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118542\" class=\"size-full wp-image-118542\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191504\/cloud-atlas25.png\" alt=\"Part of the function for parsing JSON and sending the extracted data to C2\" width=\"474\" height=\"486\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191504\/cloud-atlas25.png 474w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191504\/cloud-atlas25-293x300.png 293w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191504\/cloud-atlas25-341x350.png 341w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191504\/cloud-atlas25-273x280.png 273w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/18191504\/cloud-atlas25-50x50.png 50w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\"><\/a><\/p>\n<p id=\"caption-attachment-118542\" class=\"wp-caption-text\">Part of the function for parsing JSON and sending the extracted data to C2<\/p>\n<\/div>\n<h4 id=\"cloudatlasplugin-infocollector\">CloudAtlas::Plugin (InfoCollector)<\/h4>\n<p>This plugin is used to collect information about the infected system. The list of commands is presented below.<\/p>\n<ol>\n<li><strong>Command ID 0xFFFFFFF0:<\/strong> Collects the computer\u2019s NetBIOS name and domain information.<\/li>\n<li><strong>Command ID 0xFFFFFFF1:<\/strong> Gets a list of processes, including full paths to executable files of processes, and a list of modules (DLLs) loaded into each process.<\/li>\n<li><strong>Command ID 0xFFFFFFF2:<\/strong> Collects information about installed products.<\/li>\n<li><strong>Command ID 0xFFFFFFF3:<\/strong> Collects device information.<\/li>\n<li><strong>Command ID 0xFFFFFFF4:<\/strong> Collects information about logical drives.<\/li>\n<li><strong>Command ID 0xFFFFFFF5:<\/strong> Executes the command with input\/output redirection, and sends the output to the C2 server. If the command line for execution is not specified, it sequentially launches the following utilities and sends their output to the C2 server:<\/li>\n<\/ol>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">net group \"Exchange servers\" \/domain\r\nIpconfig\r\narp -a<\/pre>\n<h4 id=\"python-script\">Python script<\/h4>\n<p>As mentioned in one of our previous reports, Cloud Atlas uses a custom Python script named <code>get_browser_pass.py<\/code> to extract saved credentials from browsers on infected systems. If the Python interpreter is not present on the victim\u2019s machine, the group delivers an archive that includes both the script and a bundled Python interpreter to ensure execution.<\/p>\n<p>During one of the latest incidents we investigated, we once again observed traces of this tool in action, specifically the presence of the file <code>\"C:ProgramDatapypytest.dll\"<\/code>.<\/p>\n<p>The <code>pytest.dll<\/code> library is called from within <code>get_browser_pass.py<\/code> and used to extract credentials from Yandex Browser. The data is then saved locally to a file named <code>y3.txt<\/code>.<\/p>\n<h2 id=\"victims\">Victims<\/h2>\n<p>According to our telemetry, the identified targets of the malicious activities described here are located in Russia and Belarus, with observed activity dating back to the beginning of 2025. The industries being targeted are diverse, encompassing organizations in the telecommunications sector, construction, government entities, and plants.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>For more than ten years, the group has carried on its activities and expanded its arsenal. Now the attackers have four implants at their disposal (PowerShower, VBShower, VBCloud, CloudAtlas), each of them a full-fledged backdoor. Most of the functionality in the backdoors is duplicated, but some payloads provide various exclusive capabilities. The use of cloud services to manage backdoors is a distinctive feature of the group, and it has proven itself in various attacks.<\/p>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p><strong><em>Note:<\/em><\/strong><em> The indicators in this section are valid at the time of publication.<\/em><\/p>\n<h3 id=\"file-hashes\">File hashes<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/0d309c25a835baf3b0c392ac87504d9e\/results?icid=gl_sl_post-opentip_sm-team_84732fb4913d272a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">0D309C25A835BAF3B0C392AC87504D9E<\/a>\u00a0\u00a0\u00a0 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b (08.05.2025).doc<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d34aaeb811787b52ec45122ec10aeb08\/results?icid=gl_sl_post-opentip_sm-team_3011a5de627bc4e7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">D34AAEB811787B52EC45122EC10AEB08<\/a>\u00a0\u00a0\u00a0 HTA<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/4f7c5088bcdf388c49f9caad2cccdcc5\/results?icid=gl_sl_post-opentip_sm-team_6f7aed10c5814bb2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">4F7C5088BCDF388C49F9CAAD2CCCDCC5<\/a>\u00a0\u00a0\u00a0 StandaloneUpdate_2020-04-13_090638_8815-145.log:StandaloneUpdate_2020-04-13_090638_8815-145cfcf.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/24bfdffa096d3938ab6e626e418572b1\/results?icid=gl_sl_post-opentip_sm-team_2c09e3bdcceaaf3e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">24BFDFFA096D3938AB6E626E418572B1<\/a>\u00a0\u00a0\u00a0 StandaloneUpdate_2020-04-13_090638_8815-145.log:StandaloneUpdate_2020-04-13_090638_8815-145.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5c93af19ef930352a251b5e1b2ac2519\/results?icid=gl_sl_post-opentip_sm-team_a30b3f08c0aa33e7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5C93AF19EF930352A251B5E1B2AC2519<\/a>\u00a0\u00a0\u00a0 StandaloneUpdate_2020-04-13_090638_8815-145.log:StandaloneUpdate_2020-04-13_090638_8815-145.dat (encrypted)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/0e13fa3f06607b1392a3c3caa8092c98\/results?icid=gl_sl_post-opentip_sm-team_39e2cfac4431a52f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">0E13FA3F06607B1392A3C3CAA8092C98<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(1)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bc80c582d21ac9e98cbca2f0637d8993\/results?icid=gl_sl_post-opentip_sm-team_d83988059a5e9576&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">BC80C582D21AC9E98CBCA2F0637D8993<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(2)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ebd6da3b4d452bd146500ebc6fc49aae\/results?icid=gl_sl_post-opentip_sm-team_a712389eb06fdbac&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">EBD6DA3B4D452BD146500EBC6FC49AAE<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(2)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/12f1f060df0c1916e6d5d154af925426\/results?icid=gl_sl_post-opentip_sm-team_5e4db7bc81104831&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">12F1F060DF0C1916E6D5D154AF925426<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(3)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/e8c21ca9a5b721f5b0ab7c87294a2d72\/results?icid=gl_sl_post-opentip_sm-team_ab743a5a70673904&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">E8C21CA9A5B721F5B0AB7C87294A2D72<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(4)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/2d03f1646971fb7921e31b647586d3fb\/results?icid=gl_sl_post-opentip_sm-team_4c8ca300ee57362f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">2D03F1646971FB7921E31B647586D3FB<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(5)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7a85873661b50ea914e12f0523527cfa\/results?icid=gl_sl_post-opentip_sm-team_b1a03bc5f0d94c13&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7A85873661B50EA914E12F0523527CFA<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(6)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f31ce101cbe25acde328a8c326b9444a\/results?icid=gl_sl_post-opentip_sm-team_08dd6b0618242fc1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">F31CE101CBE25ACDE328A8C326B9444A<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(7)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/e2f3e5bf7efba58a9c371e2064dfd0bb\/results?icid=gl_sl_post-opentip_sm-team_8e5fc96404534f2b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">E2F3E5BF7EFBA58A9C371E2064DFD0BB<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(8)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/67156d9d0784245af0cae297fc458aac\/results?icid=gl_sl_post-opentip_sm-team_a2c5f41343b816e4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">67156D9D0784245AF0CAE297FC458AAC<\/a>\u00a0\u00a0\u00a0 VBShower::Payload(9)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/116e5132e30273da7108f23a622646fe\/results?icid=gl_sl_post-opentip_sm-team_c81b478b4a30495d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">116E5132E30273DA7108F23A622646FE<\/a>\u00a0\u00a0\u00a0 VBCloud::Launcher<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1c7387d957c5381e11d1e6edc0f3f353\/results?icid=gl_sl_post-opentip_sm-team_d006f840d2cc7625&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">1C7387D957C5381E11D1E6EDC0F3F353<\/a>\u00a0\u00a0\u00a0 upgrade.mds<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/e9f60941a7ced1a91643af9d8b92a36d\/results?icid=gl_sl_post-opentip_sm-team_4e89a774085135d4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">E9F60941A7CED1A91643AF9D8B92A36D<\/a>\u00a0\u00a0\u00a0 VBCloud::Payload(FileGrabber)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/718b9e688af49c2e1984cf6472b23805\/results?icid=gl_sl_post-opentip_sm-team_dd655526d8984bf7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">718B9E688AF49C2E1984CF6472B23805<\/a>\u00a0\u00a0\u00a0 PowerShower<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a913ef515f5dc8224fcffa33027eb0dd\/results?icid=gl_sl_post-opentip_sm-team_6b3aa2122bd20511&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">A913EF515F5DC8224FCFFA33027EB0DD<\/a>\u00a0\u00a0\u00a0 PowerShower::Payload(2)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f56dad18a308b64247d0c3360ddb1727\/results?icid=gl_sl_post-opentip_sm-team_32f63b79d94d6534&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">F56DAD18A308B64247D0C3360DDB1727<\/a>\u00a0\u00a0\u00a0 PowerShower::Payload(2)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/62170c67523c8f5009e3658f5858e8bf\/results?icid=gl_sl_post-opentip_sm-team_422bb18f903a22dd&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">62170C67523C8F5009E3658F5858E8BF<\/a>\u00a0\u00a0\u00a0 libvnc_plugin.dll<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/baa59bb050a12dbdf981193d88079232\/results?icid=gl_sl_post-opentip_sm-team_eea2b60078991c31&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">BAA59BB050A12DBDF981193D88079232<\/a>\u00a0\u00a0\u00a0 chambranle (encrypted)<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/097d18d92c2167d2f4e94f04c5a12d33\/results?icid=gl_sl_post-opentip_sm-team_1217c018eb6afedf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">097D18D92C2167D2F4E94F04C5A12D33<\/a>\u00a0\u00a0\u00a0 system.dll<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/b0100c43bd9b024c6367b38abdf5c0d2\/results?icid=gl_sl_post-opentip_sm-team_9b267682a107d80a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">B0100C43BD9B024C6367B38ABDF5C0D2<\/a>\u00a0\u00a0\u00a0 system_check.exe<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7727aae4a0840c7dc037634bed6a6d74\/results?icid=gl_sl_post-opentip_sm-team_e805b51a0cf8f31c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7727AAE4A0840C7DC037634BED6A6D74<\/a>\u00a0\u00a0\u00a0 pytest.dll<\/p>\n<h3 id=\"domains-and-ips\">Domains and IPs<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/billet-ru.net\/?icid=gl_sl_post-opentip_sm-team_69768f2177c3b933&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">billet-ru[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mskreg.net\/?icid=gl_sl_post-opentip_sm-team_b33b53549e9254e6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mskreg[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/flashsupport.org\/?icid=gl_sl_post-opentip_sm-team_0e58cac41fa168b1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">flashsupport[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/solid-logit.com\/?icid=gl_sl_post-opentip_sm-team_216126a11f6949b2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">solid-logit[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/cityru-travel.org\/?icid=gl_sl_post-opentip_sm-team_cd9b845f9024e89d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">cityru-travel[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/transferpolicy.org\/?icid=gl_sl_post-opentip_sm-team_fd699bf6137045c2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">transferpolicy[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/information-model.net\/?icid=gl_sl_post-opentip_sm-team_2539cface7d5ada6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">information-model[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/securemodem.com\/?icid=gl_sl_post-opentip_sm-team_2536c87c7803ae44&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">securemodem[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/roskomnadz.com\/?icid=gl_sl_post-opentip_sm-team_59bcc45f27f69e12&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">roskomnadz[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/processmanagerpro.net\/?icid=gl_sl_post-opentip_sm-team_b7d641d48af8906f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">processmanagerpro[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/luxoftinfo.com\/?icid=gl_sl_post-opentip_sm-team_8e1a50201d552abf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">luxoftinfo[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/marketru.net\/?icid=gl_sl_post-opentip_sm-team_cf50178639f1f9dc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">marketru[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/rzhd.org\/?icid=gl_sl_post-opentip_sm-team_01daa5aef07a19fb&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">rzhd[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gimnazija.org\/?icid=gl_sl_post-opentip_sm-team_c5787263ed3cad7a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gimnazija[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/technoguides.org\/?icid=gl_sl_post-opentip_sm-team_fdcfff411c575a56&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">technoguides[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/multipackage.net\/?icid=gl_sl_post-opentip_sm-team_0f8319a87836b54a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">multipackage[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/rostvgroup.com\/?icid=gl_sl_post-opentip_sm-team_9591f0e7ff1c83f2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">rostvgroup[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/russiatimes.info\/?icid=gl_sl_post-opentip_sm-team_cdf4f005eef77c3b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">russiatimes[.]info<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/updatechecker.org\/?icid=gl_sl_post-opentip_sm-team_c4216868abe37c57&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">updatechecker[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/rosatomgroup.com\/?icid=gl_sl_post-opentip_sm-team_e2099671dc260e1f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">rosatomgroup[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/telehraf.com\/?icid=gl_sl_post-opentip_sm-team_4f5908f9b1a7e2d7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">telehraf[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/statusupport.org\/?icid=gl_sl_post-opentip_sm-team_3d1b03682be5aa40&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">statusupport[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/perfectfinder.net\/?icid=gl_sl_post-opentip_sm-team_7776145fd4a83a32&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">perfectfinder[.]net<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. In this report, we describe the infection chain and tools that the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[251,256,247,270,271,90,272,99,232,233,259,94,252,249,273,257],"tags":[91],"class_list":["post-211","post","type-post","status-publish","format-standard","hentry","category-apt","category-apt-targeted-attacks","category-apt-reports","category-backdoor","category-cloud-atlas","category-cybersecurity","category-hta","category-malware","category-malware-descriptions","category-malware-technologies","category-microsoft-windows","category-phishing","category-powershell","category-targeted-attacks","category-vbs","category-windows-malware","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cloud Atlas activity in the first half of 2025: what changed - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cloud Atlas activity in the first half of 2025: what changed - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. In this report, we describe the infection chain and tools that the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-19T10:00:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Cloud Atlas activity in the first half of 2025: what changed\",\"datePublished\":\"2025-12-19T10:00:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/\"},\"wordCount\":3555,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"APT\",\"APT (Targeted attacks)\",\"APT reports\",\"Backdoor\",\"Cloud Atlas\",\"Cybersecurity\",\"HTA\",\"Malware\",\"Malware descriptions\",\"Malware Technologies\",\"Microsoft Windows\",\"Phishing\",\"PowerShell\",\"Targeted attacks\",\"VBS\",\"Windows malware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/\",\"name\":\"Cloud Atlas activity in the first half of 2025: what changed - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg\",\"datePublished\":\"2025-12-19T10:00:52+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cloud Atlas activity in the first half of 2025: what changed\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cloud Atlas activity in the first half of 2025: what changed - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/","og_locale":"en_US","og_type":"article","og_title":"Cloud Atlas activity in the first half of 2025: what changed - Imperative Business Ventures Limited","og_description":"Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. In this report, we describe the infection chain and tools that the [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2025-12-19T10:00:52+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Cloud Atlas activity in the first half of 2025: what changed","datePublished":"2025-12-19T10:00:52+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/"},"wordCount":3555,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["APT","APT (Targeted attacks)","APT reports","Backdoor","Cloud Atlas","Cybersecurity","HTA","Malware","Malware descriptions","Malware Technologies","Microsoft Windows","Phishing","PowerShell","Targeted attacks","VBS","Windows malware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/","url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/","name":"Cloud Atlas activity in the first half of 2025: what changed - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg","datePublished":"2025-12-19T10:00:52+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2025\/12\/19081742\/cloud-atlas-h1-2025-featured-image-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/cloud-atlas-activity-in-the-first-half-of-2025-what-changed\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Cloud Atlas activity in the first half of 2025: what changed"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=211"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/211\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}