Skip to main content
Emerging ThreatsMalware & Ransomware

Cloud Atlas Expands Arsenal with New Tools, Payloads

Person sitting at desk with laptop, papers, and office supplies, with files spilling from nearby cabinet.

CVE-2018-0802 — an old Microsoft Office Equation Editor vulnerability — remains part of Cloud Atlas’s toolkit even as the group returns to distributing ZIP archives with malicious LNK shortcuts that launch PowerShell, researchers report.

Malicious shortcuts and the LNK→PowerShell execution chain

The observed campaigns used phishing emails that delivered ZIP archives containing LNK shortcut files. Those LNK files executed PowerShell scripts hosted on external resources. The downloaded PowerShell pre-stages a local loader (“$temp\fixed.ps1”), creates a Run registry key named "YandexBrowser_setup" to guarantee startup, and retrieves a decoy archive (“$temp\rar.zip”). The script extracts a legitimate-looking PDF from that archive and opens it to distract the user for 30–120 seconds, kills the extractor process (taskkill.exe /F /Im winrar.exe), removes initial artifacts such as rar.zip and “*.pdf.lnk”, and then executes the main payload only after persistence and cleanup are secured.

VBCloud and PowerShower: theft and network reconnaissance

Fixed.ps1 functions as a loader for two distinct follow-on payloads. The VBCloud dropper installs two files: video.vbs (a loader) and video.mds (the encrypted backdoor body). The VBCloud backdoor decrypts video.mds—typically with RC4 and a hardcoded key—and runs in memory as a stealer focused on file types of interest such as DOC, PDF and XLS for exfiltration.

The second payload, PowerShower, is used for network reconnaissance and lateral movement. PowerShower can collect running processes, enumerate administrator groups and domain controllers, download and execute PowerShell scripts from a command-and-control server, and perform “Kerberoasting” attacks to steal Active Directory password hashes. PowerShower is dropped to the path C:\Users\[username]\Pictures\googleearth.ps1.

PowerShower also drops a credential-grabbing script that creates a Volume Shadow Copy of C:, copies the SAM and SECURITY files from the shadow copy into C:\Users\Public\Documents\ disguised as PDF files, and escalates to high privileges via a UAC bypass using fodhelper.exe.

Reverse SSH, RevSocks and Tor: layered backup channels

Cloud Atlas widely deployed reverse SSH tunnels in this wave. Compromised hosts initiated outbound SSH connections to attacker-controlled servers, allowing operators to bypass firewall restrictions by creating persistent outbound channels. Attackers used VBS scripts (WriteToSchedulerGenerateKey.vbs, WriteToSchedulerRunSSH.vbs and WriteToSchedulerKillSSH.vbs), executed via PAExec or PsExec, to generate keys, run tunnels, and shut them down. They also added scheduled tasks to achieve persistence and sometimes set restrictive permissions on folders containing private keys.

In addition to SSH, the group installed RevSocks — a Golang-based reverse SOCKS tool — sometimes with hardcoded C2 addresses, and used a minimal Tor client with HiddenService configuration to expose infected machines as .onion RDP endpoints. Some OpenSSH binaries observed by researchers were modified to import syruntime.dll rather than libcrypto.dll, and a portable OpenSSH appeared to have been compiled by the actors.

RDP persistence: termsrv.dll patching and multi-user connections

To facilitate undetected remote access, the attackers executed a PowerShell script named rdp_new.ps1 to allow multiple concurrent RDP sessions. The script enables RDP in the firewall, downgrades RDP security settings, takes ownership of termsrv.dll and assigns full permissions, then searches for a specific byte sequence and replaces it to remove session limits before restarting the RDP service. The result is a patched RDP service that permits concurrent logins so attackers can remain connected without disconnecting the legitimate user.

What this means for technologists, policymakers, and diplomatic missions

  • Technologists and security teams: Expect multilayered persistence and backup channels — LNK-staged PowerShell loaders, binaries placed in system-like paths (for example C:\Windows\ime or C:\Windows\PLA\System), and alternate tunnels (reverse SSH, RevSocks, Tor). Investigations should look for scheduled tasks that run VBS scripts, unusual Run registry entries such as "YandexBrowser_setup", and artifacts associated with fixed.ps1, video.vbs/video.mds and googleearth.ps1.
  • Policymakers and procurement leaders: The group’s use of publicly available utilities (SSH, RevSocks, Tor) and modified portable binaries illustrates how dual-use tools can provide resilient command-and-control. This complicates efforts to fully disrupt an intrusion because attackers can fall back to benign-appearing network traffic to maintain access.
  • Diplomatic missions and government organizations: According to telemetry, targets in late 2025 and early 2026 were located in Russia and Belarus and included government agencies and diplomatic entities. The combination of data-stealing backdoors (VBCloud), credential harvesting via Volume Shadow Copies, and lateral-movement tooling (PowerShower and RDP patching) raises the likelihood of both exfiltration and long-term footholds.

Researchers attribute the activity to Cloud Atlas with a high degree of confidence, noting continuity with tactics used since 2014 and parallels with other activity such as Head Mare’s PhantomHeart placement in similar directories, while also stressing that TTPs remain differentiated. The group’s layered approach — decoy documents, local persistence, in-memory backdoors, and multiple tunneling mechanisms — increases the operational resilience of intrusions and makes full remediation more difficult.

Read the original report: https://securelist.com/cloud-atlas-2026/119895/