Cloud Atlas APT Deploys VBCloud and PowerShower Backdoors in Ongoing Campaign Against Russian and Belarusian Targets
The Cloud Atlas advanced persistent threat group remains active into 2026, targeting government and commercial organizations in Russia and Belarus with new VBCloud and PowerShower backdoors delivered via phishing emails.
The Cloud Atlas advanced persistent threat (APT) group, active since at least 2014, continues to target government and commercial organizations in Russia and Belarus with a sophisticated multi-stage infection chain. In a report published by Securelist, researchers detail the group's use of new tools—VBCloud and PowerShower—alongside established techniques such as exploiting CVE-2018-0802 in Microsoft Office Equation Editor and leveraging third-party utilities like Tor, SSH, and RevSocks for backup command-and-control channels.
The initial infection vector remains phishing emails containing ZIP archives with LNK file attachments. When executed, the LNK file downloads and runs a PowerShell script that performs a carefully orchestrated sequence of actions. The script first drops a loader named `fixed.ps1` into the temporary folder and establishes persistence by adding a registry Run key disguised as "YandexBrowser_setup." It then downloads a decoy PDF archive, opens the PDF to distract the user, terminates the archive extractor (WinRAR) to conceal activity, and deletes initial infection artifacts to hinder forensic analysis. Finally, it executes the main payload.
The `fixed.ps1` loader delivers two distinct backdoors. The first, VBCloud, is a VBScript-based dropper that decrypts and executes an encrypted backdoor module (video.mds) in memory. VBCloud functions as a stealer, targeting files with extensions such as DOC, PDF, and XLS for exfiltration. The second backdoor, PowerShower, is installed via a similar mechanism and is primarily used for network reconnaissance and lateral movement. PowerShower can collect information about running processes, administrator groups, and domain controllers, download and execute arbitrary PowerShell scripts from the C2 server, and conduct Kerberoasting attacks to steal Active Directory password hashes.
PowerShower also downloads an additional credential-grabbing script that creates a Volume Shadow Copy of the C: drive, copies the SAM and SECURITY registry hives (disguised as PDF files), and uses a UAC bypass technique via `fodhelper.exe` to execute with elevated privileges without triggering a user prompt. The full execution chain involves multiple stages of PowerShell scripts, each designed to minimize detection and maximize persistence.
The group's use of third-party public utilities such as Tor, SSH, and RevSocks provides resilient backup communication channels, ensuring continued access even if primary C2 infrastructure is disrupted. This multi-layered approach to command-and-control, combined with anti-forensic cleanup and user distraction tactics, demonstrates a high level of operational maturity.
Organizations in Russia and Belarus, particularly government agencies and commercial enterprises, should review their email security policies and monitor for indicators of compromise associated with Cloud Atlas. The exploitation of CVE-2018-0802—a known vulnerability in Microsoft Office Equation Editor—underscores the importance of patching legacy software. Security teams are advised to enable PowerShell logging, monitor for suspicious registry modifications, and restrict the execution of LNK files from untrusted sources.