216.73.217.80

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

· Published 22/05/2026 13:08 · Modified 25/05/2026 09:52

Export JSON

Essential information

Published
22/05/2026 13:08
Modified
25/05/2026 09:52
Tags
2026-05-22 cloud atlas netsupport rat phantomheart powercloud powershower reversesocks valleyrat vbcloud
Related entities
3 vulnerabilities (cve), 17 observables, 1 intrusion sets (apt), 20 techniques (mitre), 8 malware, 27 others

Description

APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including for file theft and for network reconnaissance. New tools identified include , which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, , and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

External references