The Cloud Atlas APT group has updated its toolset in 2025-2026 campaigns targeting Russia and Belarus, utilizing LNK-based phishing to deploy VBCloud and PowerShower backdoors. The group establishes persistent access by patching termsrv.dll for concurrent RDP sessions and heavily relies on reverse SSH, RevSocks, and Tor for redundant C2 channels. Additionally, a new PowerShell tool named PowerCloud is used to exfiltrate administrator data to Google Sheets.
SSH Tunneling
1 post
Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload