{"id":3297,"date":"2026-05-22T10:01:17","date_gmt":"2026-05-22T10:01:17","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cloud-atlas-activity-in-the-second-half-of-2025-and-early-2026-new-tools-and-a-new-payload\/"},"modified":"2026-05-22T10:01:17","modified_gmt":"2026-05-22T10:01:17","slug":"cloud-atlas-activity-in-the-second-half-of-2025-and-early-2026-new-tools-and-a-new-payload","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cloud-atlas-activity-in-the-second-half-of-2025-and-early-2026-new-tools-and-a-new-payload\/","title":{"rendered":"Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload"},"content":{"rendered":"
\n

\"\"<\/p>\n

In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014<\/a>. During our investigation, we identified new tools used by this group, as well as indicators of compromise.<\/p>\n

The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802<\/a>) to download and execute malicious code. We have observed the use of third-party public utilities (Tor\/SSH\/RevSocks) to gain a foothold in infected systems and create additional backup control channels.<\/p>\n

Technical details<\/h2>\n

Initial infection<\/h3>\n

As for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment.<\/p>\n

\"Malware<\/a><\/p>\n

Malware execution flow<\/p>\n<\/div>\n

Attackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut:<\/p>\n

\"\"<\/a><\/p>\n

Example of the PowerShell script downloaded and executed by the shortcut:<\/p>\n

\"Example<\/a><\/p>\n

Example of the PowerShell script downloaded by the shortcut<\/p>\n<\/div>\n

Actions performed by the downloaded PowerShell:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Step<\/td>\nAction<\/td>\nDescription<\/td>\n<\/tr>\n
1<\/td>\n\u00a0Drops \u201c$tempfixed.ps1\u201d<\/td>\nPre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability.<\/td>\n<\/tr>\n
2<\/td>\nCreates \u201cRun\u201d registry key \u201cYandexBrowser_setup\u201d for \u201c$tempfixed.ps1\u201d startup<\/p>\n

\"\"<\/a><\/p>\n<\/td>\n

Early persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically.<\/td>\n<\/tr>\n
3<\/td>\nDownloads and drops \u201c$temprar.zip\u201d
\nExtracts \u201c*.pdf\u201d from the downloaded\u00a0 \u201c$temprar.zip\u201d<\/td>\n		Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase.<\/td>\n<\/tr>\n
4<\/td>\nExtracts \u201c*.pdf\u201d from the downloaded\u00a0 \u201c$temprar.zip\u201d<\/td>\nDecoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction.<\/td>\n<\/tr>\n
6<\/td>\nOpens extracted decoy document \u201c*.pdf\u201d with user\u2019s default software<\/td>\nUser distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30\u2013120 seconds for background operations.<\/td>\n<\/tr>\n
6<\/td>\nExecutes\u00a0 \u201ctaskkill.exe \/F \/Im winrar.exe\u201d<\/td>\nProcess concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.<\/td>\n<\/tr>\n
7<\/td>\nSearches and deletes \u201crar.zip\u201d, \u201c*.pdf.zip\u201d and \u201c*.pdf.lnk\u201d<\/td>\nAnti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation.<\/td>\n<\/tr>\n
8<\/td>\nExecutes\u00a0 \u201c$tempfixed.ps1\u201d<\/td>\nControlled execution: launches the main payload only after persistence is secured, the user is distracted, and access traces are cleaned up.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Fixed.ps1 (loader)<\/h4>\n

The primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower. Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack.<\/p>\n

Fixed.ps1::Payload (VBCloud dropper)<\/h4>\n
\"Example<\/a><\/p>\n

Example of the fixed.ps1::Payload (VBCloud dropper)<\/p>\n<\/div>\n

This module functions as a dropper for the VBCloud backdoor. It drops two files onto the infected machine:<\/p>\n