Kaspersky researchers detail new tools and techniques used by the Cloud Atlas APT group in late 2025 and early 2026, targeting government agencies and diplomatic entities in Russia and Belarus. The group employs phishing via ZIP archives containing LNK shortcuts that execute PowerShell scripts, deploying two backdoors: VBCloud (a file stealer using RC4-encrypted VBScript) and PowerShower (for network reconnaissance, lateral movement, and Kerberoasting attacks). New tools include PowerCloud, which collects admin user data and exfiltrates it to Google Sheets in Base64, and a browser checker script to monitor victim activity. For persistence and stealth, attackers use reverse SSH tunnels via patched OpenSSH binaries, RevSocks (a Golang-based SOCKS proxy), and Tor hidden services for RDP access. Lateral movement includes patching termsrv.dll to allow multiple concurrent RDP sessions and UAC bypass via fodhelper.exe for credential dumping. Indicators of compromise including file hashes, domains, and IPs are provided.
Sort: