Cloud Atlas activity in the first half of 2025: what changed

Dec. 21, 2025, 11:08 p.m.

Description

The Cloud Atlas APT group continues to target countries in Eastern Europe and Central Asia using phishing emails with malicious attachments exploiting CVE-2018-0802. The infection chain now includes several implants: VBShower, VBCloud, PowerShower, and CloudAtlas. New and updated components are described, including payloads for file exfiltration, credential stealing, and system information gathering. The backdoors use cloud services for command and control. Targets were identified in Russia and Belarus across telecommunications, construction, government, and manufacturing sectors. The group has been active for over 10 years and continues to expand its capabilities.

External References

https://securelist.com/cloud-atlas-h1-2025-campaign/118517
https://otx.alienvault.com/pulse/6945eb05a572abda5897b469
Tags
apt
phishing
CVE-2018-0802
vbcloud
vbshower
central asia
eastern europe
cloud c2
powershower
2025-12-20
cloudatlas

Date

  • Created: Dec. 20, 2025, 12:17 a.m.
  • Published: Dec. 20, 2025, 12:17 a.m.
  • Modified: Dec. 21, 2025, 11:08 p.m.

Attack Patterns

  • VBShower - S0442
  • PowerShower - S0441
  • VBCloud
  • CloudAtlas
  • Inception

Additional Informations

  • Manufacturing
  • Telecommunications
  • Construction
  • Government
  • statusupport.org
  • cityru-travel.org
  • securemodem.com
  • multipackage.net
  • technoguides.org
  • luxoftinfo.com
  • updatechecker.org
  • marketru.net
  • rostvgroup.com
  • russiatimes.info
  • rzhd.org
  • processmanagerpro.net
  • flashsupport.org
  • billet-ru.net
  • telehraf.com
  • rosatomgroup.com
  • transferpolicy.org
  • mskreg.net
  • gimnazija.org
  • Belarus
  • Russian Federation