Cloud Atlas APT Group Expands Arsenal in Recent Campaigns
TL;DR Cloud Atlas has been active since late 2025, targeting government and commercial organizations in Russia and Belarus. Recent tactics include exploiting CVE-2018-0802 and utilizing PowerShell scripts to create backup control channels through SSH and Tor.
Main Analysis
The Cloud Atlas group, an advanced persistent threat (APT) actor, has displayed a significant resurgence in its activities over recent months. Targeting a range of organizations in Russia and Belarus, this group employs a variety of malicious tactics. The primary means of initial compromise involves phishing campaigns, wherein attackers distribute ZIP files containing LNK files that execute PowerShell scripts hosted on external servers. This is consistent with their earlier use of malicious documents exploiting CVE-2018-0802, a vulnerability in the Microsoft Office Equation Editor.
In these campaigns, the downloaded PowerShell scripts employ multifaceted strategies. For instance, one script drops a payload that initiates persistence through registry modifications, establishes a decoy to disguise activities, and engages in anti-forensics by deleting initial infection artifacts. The subsequent execution of payloads such as VBCloud and PowerShower enables Cloud Atlas to perform various malicious actions, including data exfiltration and lateral movement within networks.
The attack workflow illustrated in the provided images delineates the execution flow of the attack. Notably, the visual representation clarifies the sequence of actions from initial compromise to deployment of further malicious components. These actions are characterized by the deployment of reverse SSH tunnels and RevSocks, facilitating covert communication and remote access to compromised systems while circumventing typical security defenses.
Defensive Context
Organizations in government and sensitive sectors in Russia and Belarus should be particularly vigilant due to their recent targeting. Attackers typically utilize phishing as the initial access vector, suggesting that those with user education gaps may be at higher risk. Monitoring for unusual PowerShell activity, particularly scripts that download or execute external resources, is crucial for detecting early stages of this attack.
Why This Matters
Cloud Atlas’s ongoing campaigns represent a real-world risk primarily for entities involved in sensitive governmental operations or sectors critical to national security. Their reliance on established exploitation methods and the diversity of their tunneling techniques complicate complete remediation efforts, maintaining their foothold even if primary backdoors are identified.
Defender Considerations
Specific actions to consider include blocking known infrastructure as listed in the indicators of compromise. Additionally, organizations should pay close attention to the exploitation of CVE-2018-0802, especially within Microsoft Office applications, as well as monitoring for the deployment of reverse SSH tunnels.
Indicators of Compromise (IOCs)
Malicious PowerShell Payload: Various malicious scripts identified, including PowerCloud (MD5: 7A95360B7E0EB5B107A3D231ABBC541A).
LNK files for initial access: Attached to emails containing ZIP files.
Reverse SSH Tunnels Domains:
- tenkoff[.]org
- cloudguide[.]in
Vulnerable Exploit: CVE-2018-0802 related to the Microsoft Office Equation Editor.
File Path Examples:
- C:\Windows\ime\imejp\dicts\i39884.exe
- C:\ProgramData\hp\client.exe
Overall, Cloud Atlas’s evolution underscores the need for robust threat detection and response mechanisms, particularly in environments with sensitive operations.
