{"uuid": "84a9310e-5ae3-4c13-92e6-a5ef01449f98", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0802", "type": "seen", "source": "https://poliverso.org/objects/0477a01e-ed573033-af39cc92308f9b06", "content": "Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload\nIn 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.\nThe group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels.\nTechnical details\nInitial infection\nAs for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment.\nMalware execution flow\nAttackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut:\nExample of the PowerShell script downloaded and executed by the shortcut:\nExample of the PowerShell script downloaded by the shortcut\nActions performed by the downloaded PowerShell:StepActionDescription1 Drops \u201c$temp\\fixed.ps1\u201dPre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability.2Creates \u201cRun\u201d registry key \u201cYandexBrowser_setup\u201d for \u201c$temp\\fixed.ps1\u201d startupEarly persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically.3Downloads and drops \u201c$temp\\rar.zip\u201dExtracts \u201c*.pdf\u201d from the downloaded  \u201c$temp\\rar.zip\u201dPayload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase.4Extracts \u201c*.pdf\u201d from the downloaded  \u201c$temp\\rar.zip\u201dDecoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction.6Opens extracted decoy document \u201c*.pdf\u201d with user\u2019s default softwareUser distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30\u2013120 seconds for background operations.6Executes  \u201ctaskkill.exe /F /Im winrar.exe\u201dProcess concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.7Searches and deletes \u201crar.zip\u201d, \u201c*.pdf.zip\u201d and \u201c*.pdf.lnk\u201dAnti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation.8Executes  \u201c$temp\\fixed.ps1\u201dControlled execution: launches the main payload only after persistence is secured, the user is distracted, and access traces are cleaned up.\nFixed.ps1 (loader)\nThe primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower. Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack.\nFixed.ps1::Payload (VBCloud dropper)\nExample of the fixed.ps1::Payload (VBCloud dropper)\nThis module functions as a dropper for the VBCloud backdoor. It drops two files onto the infected machine:\n\nvideo.vbs: the loader of the backdoor,VBCloud::Launcher. This is a VBScript that decrypts the contents of video.mds (typically using RC4 with a hardcoded key) and executes it in memory.\nvideo.mds: the encrypted body of the backdoor, VBCloud::Backdoor. This is the main module that connects to a C2 server to receive additional scripts or execute built-in commands. This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them.\n\nFixed.ps1::Payload (PowerShower)\nThis module installs a second backdoor called PowerShower on the system. We don\u2019t have the specific script that performs this installation, but we assume it\u2019s performed by a script similar to fixed.ps1::Payload (VBCloud dropper).\nUnlike VBCloud, which focuses on file theft, PowerShower is primarily used for network reconnaissance and lateral movement within the victim\u2019s infrastructure. PowerShower can perform the following tasks:\n\nCollect information about running processes, administrator groups, and domain controllers.\nDownload and execute PowerShell scripts from the C2 server.\nConduct \u201cKerberoasting\u201d attacks (stealing password hashes of Active Directory accounts).\nPowerShower is dropped onto the system via the path \u2018C:\\Users\\[username]\\Pictures\\googleearth.ps1\u2019.\nContents of the googleearth.ps1(PowerShower)\nPowerShower::Payload (credential grabber)\nPowerShower downloads an additional script for stealing credentials. It performs the following actions:\n\nCreates a Volume Shadow Copy of the C:\\ drive.\nCopies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\\Users\\Public\\Documents\\, disguising them as PDF files.\nThe script is launched in several stages. To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility). This allows PowerShell to run as an administrator without directly prompting the user, which could otherwise raise suspicion.\nThe full launch chain looks like this:\nThe full Base64-decoded script is given below.\n\nMulti-user RDP by patching termsrv.dll\nMoving laterally across the victim\u2019s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247):\nThe script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file. Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.\nBy default, Windows limits the number of simultaneous RDP sessions. Removing this restriction allows attackers to operate on the machine in the background without disconnecting the legitimate user, thereby reducing the likelihood of detection.\nAt first, the script enables RDP on the firewall and downgrades the RDP security settings:\nBefore modifying termsrv.dll, the script takes ownership and assigns itself full permissions. Then the script finds the sequence of bytes 39 81 3C 06 00 00 ?? ?? ?? ?? ?? ?? and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90. After these manipulations, the script restarts the RDP service.\nExample of script\nThe patched version allows multiple concurrent logins so attackers can stay connected without disrupting the legitimate user, thereby reducing suspicion.\nReverse SSH tunneling\nAs mentioned above, during this wave of attacks, the adversaries widely deployed reverse SSH tunnels to many hosts of interest. The compromised machine initiates an SSH connection to an attacker-controlled server, which allows attackers to bypass standard firewall rules via establishing outbound connections.\nThat way, even if the primary backdoor is discovered, the attackers can maintain control through the SSH tunnel.\nTo install a reverse SSH tunnel on a victim\u2019s host, the attackers run VBS scripts via PAExec or PsExec.\nWe\u2019ve seen three types of scripts:\n\nGen.vbs (WriteToSchedulerGenerateKey.vbs) generates key for SSH tunnel.\nRun.vbs (WriteToSchedulerRunSSH.vbs) runs reverse SSH tunnel.\nKill.vbs (WriteToSchedulerKillSSH.vbs) stops reverse SSH tunnel via taskkill.exe.\nTo achieve persistence, the attackers added a new scheduled task in Windows:\nIn some cases, before establishing a reverse SSH tunnel, attackers set new access permissions to the folder containing the private key to prevent the legitimate user or system administrators from easily accessing or modifying it:\n\nPatched OpenSSH\nSome OpenSSH binaries used by the attackers had their imports modified. Instead of libcrypto.dll, the SSH executable imports syruntime.dll, which was placed in the same folder as the binary. This was likely done to evade detection and ensure stealth.\nIn addition, we found a portable version of OpenSSH, presumably compiled by the adversaries:\n\nRevSocks\nIn addition to Reverse SSH tunnels, the attackers installed RevSocks using the same infrastructure. RevSocks is an alternative tool to SSH for establishing tunnels and proxy connections, written in Golang. This tool allows direct connection to workstations on the local network. It also allows attackers to gain access to other segments of the victim\u2019s network by using the machine as a gateway. In some cases, C2 addresses were hardcoded into the binary; in other cases, the C2 was passed in command line arguments.\nThere were also reverse SOCKS samples with hardcoded C2 addresses:\n\nTor tunneling\nTo maintain control over the compromised host, the Tor network was used in some cases. A minimal set of a Tor executable and configuration files, necessary for launching HiddenService, was copied to the system directories of infected devices. The name of the Tor Browser executable file was modified. As a result, the infected machine was accessible via RDP from the Tor network when accessing the generated .onion domain.Below is an example of a configuration file for routing connections from Tor to RDP ports on the local network, as well as example command lines for logging into Tor.\nExample of TOR configuration file\nPowerCloud\nWe analyzed a new Cloud Atlas tool, PowerCloud. It collects user data with administrator privileges and writes this information to Google Sheets in Base64 format.\nThe tool represents an obfuscated PowerShell script. In most cases, it is packaged into an executable file using the PS2EXE utility, but we have also encountered variants in the form of a separate PowerShell script.\nTo find administrators on the victim host, the tool executes the following command:\nThis information is appended with the computer name and current date, the data is encoded in base64, and then the collected data is added to an existing Google Sheet.\nPowerCloud script\nBrowser checker\nAdditionally, the attackers used another PowerShell script (MD5 5329F7BFF9D0D5DB28821B86C26D628F), compiled into an executable file via PS2EXE, which checks whether browser processes (Chrome, Edge, Firefox, and other) are running. This helps detect when the user is working on the computer. This can be used to choose the optimal time for conducting attacks (for example, when the user is away but their browser is still open) or simply to gather information about the victim\u2019s habits.\nThe information about running browsers is written to a log file on the local host.\nFragment of the deobfuscated script\nVictims\nAccording to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus. The targeted industries mostly include government agencies and diplomatic entities.\nWe attribute the activity described in this report to the Cloud Atlas APT group with a high degree of confidence. The group used techniques and tools described previously, such as the initial access vector, the Python script for information gathering, and the Tor application for forwarding ports to the Tor network. The victim profile and geography also matches the Cloud Atlas targets.\nWe couldn\u2019t help but notice some parallels with recent Head Mare activity. The PhantomHeart backdoor (available in Russian only), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas:\n\nC:\\Windows\\ime\nC:\\Windows\\System32\\ime\nC:\\Windows\\pla\nC:\\Windows\\inf\nC:\\Windows\\migration\nC:\\Windows\\System32\\timecontrolsvc\nC:\\Windows\\SKB\nHowever, TTPs are still differentiated.\nConclusion\nFor more than ten years, the Cloud Atlas group has continued its activities and expanded its arsenal. Over the course of last year, many targeted campaigns in general were found to employ ReverseSocks, SSH and Tor, and the use of these utilities was no exception for Cloud Atlas. Creating such backup control channels using publicly available utilities significantly complicates the complete disruption of attackers\u2019 actions on compromised systems. We will continue to closely monitor the group\u2019s activity and describe their new tools and techniques.\nIndicators of compromise\nPowerCloud\n7A95360B7E0EB5B107A3D231ABBC541A  C:\\Windows\\wininet.exeC0D1EAA15A2CEFBAB9735787575C8D8E C:\\Windows\\LiveKernelReports\\update.exeD5B38B252CF212A4A32763DE36732D40   C:\\Windows\\ime\\imejp\\dicts\\i39884.exe3C75CEDB1196DF5EAB91F31411ED4B33  C:\\pla\\reports.exe42AC350BFBC5B4EB0FEDBA16C81919C7   C:\\ProgramData\\update_[redacted].exe493B901D1B33EB577DB64AADD948F9CE  C:\\Windows\\migration\\wtr\\MicrosoftBrowser.exe2CABB721681455DAE1B6A26709DEF453  C:\\Windows\\pla\\reports\\winlog.exe1B39E86EB772A0E40060B672B7F574F1 C:\\Windows\\System32\\timecontrolsvc\\vmnetdrv64.exe1D401D6E6FC0B00AAA2C65A0AC0CFD6B C:\\Windows\\setup\\scripts\\install\\software\\activation\\aact\\dfsvc.exe40A562B8600F843B717BC5951B2E3C29  C:\\Windows\\branding\\scat.exeF721A76DEB28FD0B80D27FCE6B8F5016  C:\\Windows\\ime\\imekr\\dicts\\dfsvc.exeD3C8AFD22BAA306FF659DB1FAC28574A  C:\\ProgramData\\update_[redacted].exe6D7B2D1172BBDB7340972D844F6F0717 C:\\Users\\[redacted]\\AppData\\Local\\1c\\1cv8\\1cv8ud.exeC:\\Users\\[redacted]\\AppData\\Local\\1c\\1cv8\\svc.exe9769F43B9DE8D19E803263267FA6D62E C:\\Users\\[redacted]\\AppData\\Local\\1c\\1cv8\\1cv8ud.exe63B6BE9AE8D8024A40B200CCCB438F1D  C:\\Windows\\notepad.exe6AA586BCC45CA2E92A4F0EF47E086FA1  C:\\Windows\\splwow32.exeEBA3BCDB19A7E256BF8E2CC5B9C1CCA9   C:\\Users\\[redacted]\\Desktop\\soc\\stant.exeB4E183627B7399006C1BC47B3711E419  C:\\WINDOWS\\ime\\service.exeF56B31A4B47AD3365B18A7E922FBA1A8  dfsvc.exeF6F62456FB0FCC396FB654CBED339BC3   \u201325C8ED0511375DCA57EF136AC3FA0CCA   C:\\branding\\dwmw.exe\nBrowser checker\n5329F7BFF9D0D5DB28821B86C26D628F  C:\\ProgramData\\checker_[redacted].exe\nReverseSocks\n2B4BA4FACF8C299749771A3A4369782E  C:\\Windows\\PLA\\System\\bounce.exeC:\\Windows\\pla\\print_status.exeBA9CE06641067742F2AFC9691FAFF1DC   C:\\ProgramData\\hp\\client.exeFB0F8027ACF1B1E47E07A63D8812ED50   C:\\Windows\\System32\\timecontrolsvc\\vmnetdrv64.exeBBF1FA694122E07635DEEAC11AD712F8   C:\\Windows\\System32\\HostManagement.exeF301AA3D62B5095EEC4D8E34201A4769   C:\\Windows\\ime\\imejp\\msfu.exeF9C3BBE108566D1A6B070F9C5FB03160   C:\\Windows\\ime\\imetc\\help\\IMTCEN14.exe\nMalicious MS Office documents\n369B75BDCDED16469EDE7AB8BEDCFAE19EAAE9491F6A50D6DF0BE393734A44CB3E6E9DF00A764B348EC611EE8504ACA09BD788F285E32A05E6591D1EB36EBFFCF42085522EC2EBB16EDCF814E7C330AD2042EB5D52F0B535A1CE6B6F954C8C2B2AA1E9765EF6B00B94A9B6BE0041436A36120F5E9411BCBAC7104EF3FA964ED25000A353399500BC78381DC95B6ED2DC579A9952D31CAD801A3988DBE7914CE7867B634588C0FD6B26684D502C15AB0338FA4306FA4406BA31CF171AF4D36E3483EDDE9F7EEEFAC0363413972F35572BCC751619BFEC0DC4607C17112B9E3B2CA632858F14B36F03D0F213F5F5D6BFF2097CA205AD9E3B72018750280904718C69121C36EB8BF77962DCA825FCFFD873C5702EB250F855C8C872FFFB9BB656EDED34F5A136FBA4FDEA976570FAA33ED70577DB70844E88B32B954906E2F2079828ECF8FB6719E14231B94B4D37629B0E0857C84B62289A1A9F29E19244E9A4990C514E137860F489E3801213460EF93850568B1F9335A7E3BA4E5DF035A8FB867F776AD200287D6DE14A29158C45717951F7F794ED43FB90D0F8EBBB5EFFE628B8C753DD254509FBA5077FFD5067EAB0BC3739DEC8CD8F54F3F60A85F3ED600EEC076CD21C483A40156F4E40D08DADED216CB7F31D383C0DD892B284DF05A495116F59E70A9DF97F4ADAEA71EECB1E9A7242AC065B50BCDE9308756B49DBADCB8158552950D2E13B075001CE0C52AA97A75DBED984963B9AB21309C5B2F8FD9B0320DD389FDBAB25D46792BD2817675E5339D1A666F3E40FE756505CF1D87D4B67D7E3AEEB673BF60C59361C12A4ED8189572F0ED20791A5AC9FC4267D67CCB0B6AAE073E7BFEBF4D643C2BBEB5C02E1344CA9EA07CD4AC90EF27F8890D4EC05\nDomains and IPs\nReverse SSH/Socks domains\ntenkoff[.]orgcloudguide[.]ingoverru[.]comkufar[.]orgultimatecore[.]netspbnews[.]netonedrivesupport[.]net\nMalicious and compromised domains used in MS Office documents\namerikastaj[.]combigbang[.]mepaleturquoise-dragonfly-364512.hostingersite[.]comwizzifi[.]comtotallegacy[.]orgmamurjor[.]comlandscapeuganda[.]comlafortunaitalian.co[.]ukkommando[.]liveinternationalcommoditiesllc[.]comhumanitas[.]sifishingflytackle[.]comfirsai.tipshub[.]netalnakhlah.com[.]saallgoodsdirect.com[.]auagenciakharis.com[.]br\nPowershell payload staging\nistochnik[.]orgznews[.]netiinvestika-club[.]com194.102.104[.]20746.17.45[.]5646.17.45[.]4946.17.44[.]12546.17.44[.]212185.22.154[.]73194.87.196[.]163195.58.49[.]993.125.114[.]19393.125.114[.]5745.87.219[.]11637.228.129[.]224185.53.179[.]136185.126.239[.]775.181.21[.]75146.70.53[.]17145.15.65[.]134185.250.181[.]20781.30.105[.]71\nFile paths\nVBS scripts\nWriteToSchedulerKillSSH.vbsCreate_task_day.vbsWriteToSchedulerGenerateKey.vbsC:\\Windows\\INF\\Run.vbsc:\\Windows\\INF\\install.vbsUpdate.vbsc:\\Windows\\PLA\\System\\Gen.vbsC:\\Windows\\INF\\GenK.vbsc:\\Windows\\PLA\\System\\Kill.vbsc:\\Windows\\PLA\\System\\Run.vbs\nssh.exe\nc:\\Windows\\ime\\imejp\\Asset.exec:\\Windows\\PLA\\System\\conhosts.exec:\\Windows\\INF\\BITS\\esentprf.exec:\\Windows\\INF\\MSDTC\\RuntimeBrokers.exec:\\Windows\\inf\\diagnostic.exe\nReverseSocks\nC:\\Windows\\PLA\\System\\bounce.exeC:\\ProgramData\\hp\\client.exeC:\\Windows\\System32\\timecontrolsvc\\vmnetdrv64.exe\nTor client\nC:\\Windows\\Resources\\Update\\Intel.exeC:\\Windows\\INF\\package.exe \nsecurelist.com/cloud-atlas-202\u2026", "creation_timestamp": "2026-05-22T09:57:40.239984Z"}