Skip to content
.ca
sign in
10 minhigh

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

The Cloud Atlas APT group has updated its toolset in 2025-2026 campaigns targeting Russia and Belarus, utilizing LNK-based phishing to deploy VBCloud and PowerShower backdoors. The group establishes persistent access by patching termsrv.dll for concurrent RDP sessions and heavily relies on reverse SSH, RevSocks, and Tor for redundant C2 channels. Additionally, a new PowerShell tool named PowerCloud is used to exfiltrate administrator data to Google Sheets.

Sens:ImmediateConf:highAnalyzed:2026-05-22Google

Authors: Kaspersky

ActorsCloud AtlasHead Mare
VBCloudTorSSH TunnelingCloud AtlasPowerShower

Source:Kaspersky

IOCs · 78

Detection / HunterGoogle

What Happened

A cyber espionage group known as Cloud Atlas has been attacking government and commercial organizations in Russia and Belarus. They trick victims into opening malicious email attachments, which secretly install software to steal files and passwords. The attackers use clever techniques to hide their presence, such as creating hidden remote access tunnels and modifying Windows settings to allow them to use the computer at the same time as the victim. This allows them to maintain long-term access to the infected networks. Organizations should ensure their systems are updated, monitor for unusual remote access tools, and train employees to recognize phishing emails.

Key Takeaways

  • Cloud Atlas continues to target organizations in Russia and Belarus using phishing emails with LNK files inside ZIP archives.
  • The group deploys the VBCloud backdoor for file exfiltration and the PowerShower backdoor for lateral movement and credential theft.
  • Attackers heavily utilize reverse SSH, RevSocks, and Tor to establish redundant, encrypted command and control channels.
  • A new tool named 'PowerCloud' is used to collect administrator data and exfiltrate it to Google Sheets.
  • Adversaries patch the Windows termsrv.dll file to allow multiple concurrent RDP sessions, enabling stealthy background access.

Affected Systems

  • Windows OS
  • Active Directory
  • Microsoft Office

Vulnerabilities (CVEs)

  • CVE-2018-0802

Attack Chain

The attack begins with a phishing email containing a ZIP archive with a malicious LNK file. When executed, the LNK downloads and runs a PowerShell script (fixed.ps1) that establishes registry persistence and drops a decoy PDF. The loader then deploys the VBCloud backdoor for file exfiltration and the PowerShower backdoor for lateral movement and credential theft via Volume Shadow Copies. Attackers maintain redundant access by patching termsrv.dll for concurrent RDP sessions and deploying reverse SSH, RevSocks, and Tor tunnels.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides extensive indicators of compromise (hashes, domains, IPs, file paths) and behavioral descriptions, but does not include ready-to-use detection rules like YARA or Sigma.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on PowerShell execution, process injection/spawning (fodhelper.exe, PAExec), registry modifications, and file drops in specific directories, all of which are highly visible to modern EDRs. Network Visibility: Medium — While initial staging URLs and some C2 domains are visible, the extensive use of encrypted tunnels (SSH, Tor, RevSocks) and legitimate services (Google Sheets) obscures the payload and exfiltrated data. Detection Difficulty: Moderate — The use of legitimate tools (SSH, Tor) and living-off-the-land binaries (fodhelper, wmic) requires behavioral correlation to distinguish from legitimate administrative activity.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • PowerShell Operational (Event ID 4104)
  • Registry Events (Sysmon 12/13/14)
  • File Creation (Sysmon 11)
  • Network Connections (Sysmon 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for PowerShell processes executing with hidden windows and bypass execution policies, especially those spawned from Explorer or unusual parent processes.Process Creation, PowerShell LogsExecutionMedium
Hunt for the creation of Volume Shadow Copies via WMI followed by file copy operations targeting the SAM and SECURITY hives.Process Creation, File CreationCredential AccessLow
Investigate modifications to the termsrv.dll file or changes to RDP-related registry keys (e.g., fDenyTSConnections) by non-standard processes.File Integrity Monitoring, Registry EventsDefense EvasionLow
Search for instances of fodhelper.exe spawning PowerShell or command prompts, indicating potential UAC bypass attempts.Process CreationPrivilege EscalationLow
Monitor for unexpected outbound SSH (port 22) or custom port connections originating from non-administrative workstations or servers.Network ConnectionsCommand and ControlMedium

Control Gaps

  • Lack of outbound network filtering for SSH/Tor traffic
  • Insufficient monitoring of Google Sheets API usage for data exfiltration
  • Permissive execution policies allowing unsigned PowerShell scripts

Key Behavioral Indicators

  • Registry Run key named 'YandexBrowser_setup'
  • Execution of PAExec.exe dropping VBS scripts in C:\Windows\PLA\System\
  • PowerShell scripts accessing Google Sheets APIs
  • Presence of portable OpenSSH binaries in unusual directories

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider blocking the identified C2 domains and IP addresses at the perimeter firewall or web proxy.
  • Evaluate whether to search endpoints for the presence of the identified file hashes and paths, particularly in C:\Windows\PLA\ and C:\Windows\IME.
  • If applicable, review scheduled tasks for unauthorized entries launching SSH or proxy tools.

Infrastructure Hardening

  • Consider restricting outbound SSH and Tor traffic from internal networks to the internet, allowing it only from authorized jump hosts.
  • Evaluate implementing application control to prevent the execution of unauthorized portable executables like OpenSSH or RevSocks.
  • Review and harden RDP configurations, ensuring Network Level Authentication (NLA) is enforced and concurrent sessions are restricted.

User Protection

  • Consider enforcing PowerShell Constrained Language Mode to limit the capabilities of malicious scripts.
  • If supported by your tooling, monitor and restrict the creation of Volume Shadow Copies by non-administrative users.

Security Awareness

  • Consider updating phishing awareness training to highlight the risks of opening LNK files disguised within ZIP archives.

MITRE ATT&CK Mapping

  • T1566.001 - Phishing: Spearphishing Attachment
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1036.005 - Masquerading: Match Legitimate Name or Location
  • T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
  • T1003.002 - OS Credential Dumping: Security Account Manager
  • T1562.004 - Impair Defenses: Disable or Modify System Firewall
  • T1573.002 - Encrypted Channel: Asymmetric Cryptography
  • T1090.001 - Proxy: Internal Proxy
  • T1563.002 - Remote Service Session Hijacking: RDP Hijacking
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Additional IOCs

  • Ips:
    • 194[.]102[.]104[[.]]207 - IP address associated with Cloud Atlas infrastructure.
    • 46[.]17[.]45[[.]]56 - IP address associated with Cloud Atlas infrastructure.
    • 46[.]17[.]45[[.]]49 - IP address associated with Cloud Atlas infrastructure.
    • 46[.]17[.]44[[.]]125 - IP address associated with Cloud Atlas infrastructure.
    • 46[.]17[.]44[[.]]212 - IP address associated with Cloud Atlas infrastructure.
    • 185[.]22[.]154[[.]]73 - IP address associated with Cloud Atlas infrastructure.
    • 194[.]87[.]196[[.]]163 - IP address associated with Cloud Atlas infrastructure.
    • 195[.]58[.]49[[.]]9 - IP address associated with Cloud Atlas infrastructure.
    • 93[.]125[.]114[[.]]193 - IP address associated with Cloud Atlas infrastructure.
    • 93[.]125[.]114[[.]]57 - IP address associated with Cloud Atlas infrastructure.
    • 45[.]87[.]219[[.]]116 - IP address associated with Cloud Atlas infrastructure.
    • 37[.]228[.]129[[.]]224 - IP address associated with Cloud Atlas infrastructure.
    • 185[.]53[.]179[[.]]136 - IP address associated with Cloud Atlas infrastructure.
    • 185[.]126[.]239[[.]]77 - IP address associated with Cloud Atlas infrastructure.
    • 5[.]181[.]21[[.]]75 - IP address associated with Cloud Atlas infrastructure.
    • 146[.]70[.]53[[.]]171 - IP address associated with Cloud Atlas infrastructure.
    • 45[.]15[.]65[[.]]134 - IP address associated with Cloud Atlas infrastructure.
    • 185[.]250[.]181[[.]]207 - IP address associated with Cloud Atlas infrastructure.
    • 81[.]30[.]105[[.]]71 - IP address associated with Cloud Atlas infrastructure.
  • Domains:
    • tenkoff[[.]]org - Reverse SSH/Socks domain.
    • kufar[[.]]org - Reverse SSH/Socks domain.
    • ultimatecore[[.]]net - Reverse SSH/Socks domain.
    • spbnews[[.]]net - Reverse SSH/Socks domain.
    • onedrivesupport[[.]]net - Reverse SSH/Socks domain.
    • amerikastaj[[.]]com - Malicious domain used in MS Office documents.
    • bigbang[[.]]me - Malicious domain used in MS Office documents.
    • paleturquoise-dragonfly-364512[.]hostingersite[[.]]com - Malicious domain used in MS Office documents.
    • wizzifi[[.]]com - Malicious domain used in MS Office documents.
    • totallegacy[[.]]org - Malicious domain used in MS Office documents.
    • mamurjor[[.]]com - Malicious domain used in MS Office documents.
    • landscapeuganda[[.]]com - Malicious domain used in MS Office documents.
    • lafortunaitalian[.]co[[.]]uk - Malicious domain used in MS Office documents.
    • kommando[[.]]live - Malicious domain used in MS Office documents.
    • internationalcommoditiesllc[[.]]com - Malicious domain used in MS Office documents.
    • humanitas[[.]]si - Malicious domain used in MS Office documents.
    • fishingflytackle[[.]]com - Malicious domain used in MS Office documents.
    • firsai[.]tipshub[[.]]net - Malicious domain used in MS Office documents.
    • alnakhlah[.]com[[.]]sa - Malicious domain used in MS Office documents.
    • allgoodsdirect[.]com[[.]]au - Malicious domain used in MS Office documents.
    • agenciakharis[.]com[[.]]br - Malicious domain used in MS Office documents.
    • znews[[.]]net - PowerShell payload staging domain.
  • File Hashes:
    • 7A95360B7E0EB5B107A3D231ABBC541A (MD5) - PowerCloud executable (wininet.exe).
    • C0D1EAA15A2CEFBAB9735787575C8D8E (MD5) - PowerCloud executable (update.exe).
    • D5B38B252CF212A4A32763DE36732D40 (MD5) - PowerCloud executable (i39884.exe).
    • 3C75CEDB1196DF5EAB91F31411ED4B33 (MD5) - PowerCloud executable (reports.exe).
    • 42AC350BFBC5B4EB0FEDBA16C81919C7 (MD5) - PowerCloud executable.
    • 493B901D1B33EB577DB64AADD948F9CE (MD5) - PowerCloud executable (MicrosoftBrowser.exe).
    • 2CABB721681455DAE1B6A26709DEF453 (MD5) - PowerCloud executable (winlog.exe).
    • 1B39E86EB772A0E40060B672B7F574F1 (MD5) - PowerCloud executable (vmnetdrv64.exe).
    • 1D401D6E6FC0B00AAA2C65A0AC0CFD6B (MD5) - PowerCloud executable (dfsvc.exe).
    • 40A562B8600F843B717BC5951B2E3C29 (MD5) - PowerCloud executable (scat.exe).
    • F721A76DEB28FD0B80D27FCE6B8F5016 (MD5) - PowerCloud executable (dfsvc.exe).
    • D3C8AFD22BAA306FF659DB1FAC28574A (MD5) - PowerCloud executable.
    • 6D7B2D1172BBDB7340972D844F6F0717 (MD5) - PowerCloud executable (1cv8ud.exe / svc.exe).
    • 9769F43B9DE8D19E803263267FA6D62E (MD5) - PowerCloud executable (1cv8ud.exe).
    • 63B6BE9AE8D8024A40B200CCCB438F1D (MD5) - PowerCloud executable (notepad.exe).
    • 6AA586BCC45CA2E92A4F0EF47E086FA1 (MD5) - PowerCloud executable (splwow32.exe).
    • EBA3BCDB19A7E256BF8E2CC5B9C1CCA9 (MD5) - PowerCloud executable (stant.exe).
    • B4E183627B7399006C1BC47B3711E419 (MD5) - PowerCloud executable (service.exe).
    • F56B31A4B47AD3365B18A7E922FBA1A8 (MD5) - PowerCloud executable (dfsvc.exe).
    • F6F62456FB0FCC396FB654CBED339BC3 (MD5) - PowerCloud executable.
    • 25C8ED0511375DCA57EF136AC3FA0CCA (MD5) - PowerCloud executable (dwmw.exe).
    • 5329F7BFF9D0D5DB28821B86C26D628F (MD5) - Browser checker script compiled via PS2EXE.
    • 2B4BA4FACF8C299749771A3A4369782E (MD5) - ReverseSocks executable (bounce.exe / print_status.exe).
    • BA9CE06641067742F2AFC9691FAFF1DC (MD5) - ReverseSocks executable (client.exe).
    • FB0F8027ACF1B1E47E07A63D8812ED50 (MD5) - ReverseSocks executable (vmnetdrv64.exe).
    • BBF1FA694122E07635DEEAC11AD712F8 (MD5) - ReverseSocks executable (HostManagement.exe).
    • F301AA3D62B5095EEC4D8E34201A4769 (MD5) - ReverseSocks executable (msfu.exe).
    • F9C3BBE108566D1A6B070F9C5FB03160 (MD5) - ReverseSocks executable (IMTCEN14.exe).
  • File Paths:
    • C:\Users\Public\Videos\video.vbs - Loader script for the VBCloud backdoor.
    • C:\Windows\INF\Run.vbs - VBS script used to run reverse SSH tunnel.
    • C:\Windows\PLA\System\Gen.vbs - VBS script used to generate key for SSH tunnel.
    • C:\Windows\PLA\System\Kill.vbs - VBS script used to stop reverse SSH tunnel.
    • C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe - Path used for ReverseSocks and PowerCloud executables.
    • C:\Windows\LiveKernelReports\update.exe - Path used for PowerCloud executable.
    • C:\Windows\INF\BITS\esentprf.exe - Path used for reverse SSH tunneling executable.
    • C:\Windows\Resources\Update\Intel.exe - Path used for Tor client executable.
  • Command Lines:
    • Purpose: Execute initial PowerShell payload from LNK file | Tools: powershell.exe | Stage: Initial Access | powershell.exe -w Minimized -ep Bypass -nop -c
    • Purpose: Bypass UAC to execute payload with high privileges | Tools: fodhelper.exe, powershell.exe | Stage: Privilege Escalation | C:\windows\system32\fodhelper.exe
    • Purpose: Create Volume Shadow Copy for credential theft | Tools: wmic.exe | Stage: Credential Access | gwmi -list win32_shadowcopy
    • Purpose: Modify firewall to allow RDP connections | Tools: netsh.exe | Stage: Defense Evasion
    • Purpose: Create scheduled task for SSH tunnel persistence | Tools: schtasks.exe | Stage: Persistence | schtasks.exe /Create /TN \Microsoft\Windows\EDP\EDPControlStart /TR
    • Purpose: Modify file permissions for SSH tunnel components | Tools: icacls.exe | Stage: Defense Evasion | icacls.exe C:\Windows\INF\BITS\esent /grant:r SYSTEM:(F) Administrators:(F)