Cloud Atlas: Upcoming Operations, New Tools, and Payload Deployments (2025-2026)
- May 23
- 3 min read
Key Findings
Cloud Atlas, active since 2014, conducted pervasive SSH tunnel operations affecting government and commercial organizations in Russia and Belarus throughout late 2025 and into 2026
The group introduced new tools and malicious payloads, including VBCloud and PowerShower backdoors
Primary infection vector remains phishing with ZIP archives containing malicious LNK shortcuts that execute PowerShell scripts
Multi-stage attack chain includes persistence mechanisms, decoy documents, and anti-forensic cleanup routines
VBCloud targets file theft while PowerShower focuses on network reconnaissance and lateral movement
Attackers leverage third-party utilities like Tor, SSH, and RevSocks for command and control backup channels
Background
Cloud Atlas is a threat group that has maintained operational activity since 2014. The group remains consistent in targeting government organizations and commercial entities, with a particular focus on Russia and Belarus. Their operations were especially pervasive during the second half of 2025, with activity continuing into early 2026. While the group's fundamental tactics rely on social engineering through phishing, their toolset and payloads have evolved throughout their operational history.
Initial Infection and Infection Chain
Cloud Atlas continues to rely on phishing as their primary compromise method. In recent campaigns, operators email ZIP archives containing LNK shortcut files to targets. These shortcuts are designed to execute PowerShell scripts hosted on external resources, initiating a carefully orchestrated infection chain.
The execution flow begins with the LNK file, which covertly downloads and runs a PowerShell script. This initial script performs multiple critical functions: it drops a main payload locally for persistence, creates registry Run keys for automatic startup, downloads a decoy archive containing PDF documents, and performs cleanup operations to remove infection artifacts before launching the main payload.
Multi-Stage Payload Delivery
The attack progresses through deliberate stages designed to maintain persistence while avoiding detection. After the initial PowerShell execution, the script downloads and extracts a decoy archive containing PDF files. These documents are opened with the user's default software to maintain engagement and distract from background operations, buying attackers 30 to 120 seconds for additional malicious activity.
Process concealment occurs when the archive extractor is forcibly terminated, preventing users from noticing unexpected file operations. Anti-forensic cleanup then removes infection artifacts including the archive files and shortcuts before the main payload activates. This methodical approach reduces forensic traces available to incident responders.
Fixed.ps1 Loader and VBCloud Backdoor
Fixed.ps1 serves as the primary loader, delivering subsequent malware stages and establishing persistence through registry modifications. The script creates a VBCloud dropper that installs two critical files: video.vbs acts as a loader that decrypts the encrypted VBCloud backdoor body using RC4 encryption, while video.mds contains the encrypted backdoor itself.
VBCloud functions as a stealer designed to target files with specific extensions including DOC, PDF, and XLS. Once activated, it connects to a command and control server to receive additional instructions or execute built-in commands. The backdoor exfiltrates stolen files to attacker-controlled infrastructure.
PowerShower Backdoor and Lateral Movement
PowerShower represents the second backdoor deployed during the infection chain. Unlike VBCloud's focus on file theft, PowerShower specializes in network reconnaissance and lateral movement within compromised infrastructure. The backdoor collects detailed information about running processes, administrator group memberships, and domain controllers within the target environment.
PowerShower can download and execute additional PowerShell scripts from the C2 server and conduct Kerberoasting attacks to steal password hashes from Active Directory accounts. This combination of capabilities enables attackers to expand their foothold across enterprise networks and escalate privileges.
Command and Control Infrastructure
Cloud Atlas employs multiple backup control channels using third-party public utilities including Tor, SSH, and RevSocks. This redundancy ensures continued communication with compromised systems even if primary command and control channels are disrupted. The layered approach to C2 infrastructure reflects the group's commitment to maintaining persistent access across their target networks.
Sources
https://securelist.com/cloud-atlas-2026/119895/
https://www.reddit.com/r/SecOpsDaily/comments/1tkehgw/cloud_atlas_activity_in_the_second_half_of_2025
https://x.com/TheCyberSecHub/status/2057757175074963461

Comments