Key Findings Cloud Atlas, active since 2014, conducted pervasive SSH tunnel operations affecting government and commercial organizations in Russia and Belarus throughout late 2025 and into 2026 The group introduced new tools and malicious payloads, including VBCloud and PowerShower backdoors Primary infection vector remains phishing with ZIP archives containing malicious LNK shortcuts that execute PowerShell scripts Multi-stage attack chain includes persistence mechanisms, de