Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Summary

The Cloud Atlas APT group has been actively targeting government and diplomatic entities in Russia and Belarus. The group uses phishing emails with malicious LNK shortcuts and exploits the CVE-2018-0802 vulnerability in Microsoft Office. They also employ third-party utilities like Tor, SSH, and RevSocks to maintain persistence and control.

Full text

Table of Contents Technical detailsInitial infectionFixed.ps1 (loader)Fixed.ps1::Payload (VBCloud dropper)Fixed.ps1::Payload (PowerShower)PowerShower::Payload (credential grabber)Multi-user RDP by patching termsrv.dllReverse SSH tunnelingPatched OpenSSHRevSocksTor tunnelingPowerCloudBrowser checkerVictimsConclusionIndicators of compromiseDomains and IPsFile paths Authors Kaspersky In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise. The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels. Technical details Initial infection As for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment. Malware execution flow Attackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut: Example of the PowerShell script downloaded and executed by the shortcut: Example of the PowerShell script downloaded by the shortcut Actions performed by the downloaded PowerShell: Step Action Description 1 Drops “$temp\fixed.ps1” Pre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability. 2 Creates “Run” registry key “YandexBrowser_setup” for “$temp\fixed.ps1” startup Early persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically. 3 Downloads and drops “$temp\rar.zip” Extracts “*.pdf” from the downloaded “$temp\rar.zip” Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase. 4 Extracts “*.pdf” from the downloaded “$temp\rar.zip” Decoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction. 6 Opens extracted decoy document “*.pdf” with user’s default software User distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30–120 seconds for background operations. 6 Executes “taskkill.exe /F /Im winrar.exe” Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity. 7 Searches and deletes “rar.zip”, “*.pdf.zip” and “*.pdf.lnk” Anti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation. 8 Executes “$temp\fixed.ps1” Controlled execution: launches the main payload only after persistence is secured, the user is distracted, and access traces are cleaned up. Fixed.ps1 (loader) The primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower. Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack. Fixed.ps1::Payload (VBCloud dropper) Example of the fixed.ps1::Payload (VBCloud dropper) This module functions as a dropper for the VBCloud backdoor. It drops two files onto the infected machine: video.vbs: the loader of the backdoor,VBCloud::Launcher. This is a VBScript that decrypts the contents of video.mds (typically using RC4 with a hardcoded key) and executes it in memory. video.mds: the encrypted body of the backdoor, VBCloud::Backdoor. This is the main module that connects to a C2 server to receive additional scripts or execute built-in commands. This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them. Fixed.ps1::Payload (PowerShower) This module installs a second backdoor called PowerShower on the system. We don’t have the specific script that performs this installation, but we assume it’s performed by a script similar to fixed.ps1::Payload (VBCloud dropper). Unlike VBCloud, which focuses on file theft, PowerShower is primarily used for network reconnaissance and lateral movement within the victim’s infrastructure. PowerShower can perform the following tasks: Collect information about running processes, administrator groups, and domain controllers. Download and execute PowerShell scripts from the C2 server. Conduct “Kerberoasting” attacks (stealing password hashes of Active Directory accounts). PowerShower is dropped onto the system via the path ‘C:\Users\[username]\Pictures\googleearth.ps1’. Contents of the googleearth.ps1(PowerShower) PowerShower::Payload (credential grabber) PowerShower downloads an additional script for stealing credentials. It performs the following actions: Creates a Volume Shadow Copy of the C:\ drive. Copies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files. The script is launched in several stages. To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility). This allows PowerShell to run as an administrator without directly prompting the user, which could otherwise raise suspicion. The full launch chain looks like this: The full Base64-decoded script is given below. Multi-user RDP by patching termsrv.dll Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247): The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file. Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules. By default, Windows limits the number of simultaneous RDP sessions. Removing this restriction allows attackers to operate on the machine in the background without disconnecting the legitimate user, thereby reducing the likelihood of detection. At first, the script enables RDP on the firewall and downgrades the RDP security settings: Before modifying termsrv.dll, the script takes ownership and assigns itself full permissions. Then the script finds the sequence of bytes 39 81 3C 06 00 00 ?? ?? ?? ?? ?? ?? and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90. After these manipulations, the script restarts the RDP service. Example of script The patched version allows multiple concurrent logins so attackers can stay connected without disrupting the legitimate user, thereby reducing suspicion. Reverse SSH tunneling As mentioned above, during this wave of attacks, the adversaries widely deployed reverse SSH tunnels to many hosts of interest. The compromised machine initiates an SSH connection to an attacker-controlled server, which allows attackers to bypass standard firewall rules via establishing outbound connections. That way, even if the primary backdoor is discovered, the attackers can maintain control through the SSH tunnel. To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec. We’ve seen three types of scripts: Gen.vbs (WriteToSchedulerGenerateKey.vbs) generates ke

Indicators of Compromise

• cve — CVE-2018-0802

Entities