Pulse Detail — Threat Intelligence

PULSE NAME

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

WHITE Inception Framework AlienVault 2026-05-22 Modified: 2026-05-25

115

IOCs

HIGH VOLUME

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003.002 T1074.001 T1087.002 T1204.002 T1566.001 T1005 T1140 T1055 T1572 T1090 T1482 T1059.001 T1547.001 T1078 T1027 T1573 T1071.001 T1018 T1021.001 T1558.003

MALWARE FAMILIES

PowerCloud VBCloud PowerShower - S0441 ReverseSocks PhantomHeart ValleyRAT ABCDoor NetSupport RAT

Indicators of Compromise (69 / 115 total)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	0320dd389fdbab25d46792bd2817675e	—	2026-05-22
FileHash-MD5	0577db70844e88b32b954906e2f20798	—	2026-05-22
FileHash-MD5	0857c84b62289a1a9f29e19244e9a499	—	2026-05-22
FileHash-MD5	097ca205ad9e3b72018750280904718c	—	2026-05-22
FileHash-MD5	0c514e137860f489e3801213460ef938	—	2026-05-22
FileHash-MD5	116f59e70a9df97f4adaea71eecb1e9a	—	2026-05-22
FileHash-MD5	1a11b26dd0261ef27a112ce8b361c247	—	2026-05-22
FileHash-MD5	1b39e86eb772a0e40060b672b7f574f1	—	2026-05-22
FileHash-MD5	1d401d6e6fc0b00aaa2c65a0ac0cfd6b	—	2026-05-22
FileHash-MD5	2042eb5d52f0b535a1ce6b6f954c8c2b	—	2026-05-22
FileHash-MD5	216cb7f31d383c0dd892b284df05a495	—	2026-05-22
FileHash-MD5	25c8ed0511375dca57ef136ac3fa0cca	—	2026-05-22
FileHash-MD5	28ecf8fb6719e14231b94b4d37629b0e	—	2026-05-22
FileHash-MD5	2aa1e9765ef6b00b94a9b6be0041436a	—	2026-05-22
FileHash-MD5	2b4ba4facf8c299749771a3a4369782e	—	2026-05-22
FileHash-MD5	2cabb721681455dae1b6a26709def453	—	2026-05-22
FileHash-MD5	344ca9ea07cd4ac90ef27f8890d4ec05	—	2026-05-22
FileHash-MD5	36120f5e9411bcbac7104ef3fa964ed2	—	2026-05-22
FileHash-MD5	369b75bdcded16469ede7ab8bedcfae1	—	2026-05-22
FileHash-MD5	38fa4306fa4406ba31cf171af4d36e34	—	2026-05-22
FileHash-MD5	3c75cedb1196df5eab91f31411ed4b33	—	2026-05-22
FileHash-MD5	3e6e9df00a764b348ec611ee8504aca0	—	2026-05-22
FileHash-MD5	40a562b8600f843b717bc5951b2e3c29	—	2026-05-22
FileHash-MD5	42ac350bfbc5b4eb0fedba16c81919c7	—	2026-05-22
FileHash-MD5	493b901d1b33eb577db64aadd948f9ce	—	2026-05-22
FileHash-MD5	5000a353399500bc78381dc95b6ed2dc	—	2026-05-22
FileHash-MD5	50568b1f9335a7e3ba4e5df035a8fb86	—	2026-05-22
FileHash-MD5	51f7f794ed43fb90d0f8ebbb5effe628	—	2026-05-22
FileHash-MD5	5329f7bff9d0d5db28821b86c26d628f	—	2026-05-22
FileHash-MD5	5339d1a666f3e40fe756505cf1d87d4b	—	2026-05-22
FileHash-MD5	579a9952d31cad801a3988dbe7914ce7	—	2026-05-22
FileHash-MD5	63b6be9ae8d8024a40b200cccb438f1d	—	2026-05-22
FileHash-MD5	67d7e3aeeb673bf60c59361c12a4ed81	—	2026-05-22
FileHash-MD5	69121c36eb8bf77962dca825fcffd873	—	2026-05-22
FileHash-MD5	6aa586bcc45ca2e92a4f0ef47e086fa1	—	2026-05-22
FileHash-MD5	6d7b2d1172bbdb7340972d844f6f0717	—	2026-05-22
FileHash-MD5	7242ac065b50bcde9308756b49dbadcb	—	2026-05-22
FileHash-MD5	7a95360b7e0eb5b107a3d231abbc541a	—	2026-05-22
FileHash-MD5	7f776ad200287d6de14a29158c457179	—	2026-05-22
FileHash-MD5	8158552950d2e13b075001ce0c52aa97	—	2026-05-22
FileHash-MD5	83edde9f7eeefac0363413972f35572b	—	2026-05-22
FileHash-MD5	867b634588c0fd6b26684d502c15ab03	—	2026-05-22
FileHash-MD5	89572f0ed20791a5ac9fc4267d67ccb0	—	2026-05-22
FileHash-MD5	9769f43b9de8d19e803263267fa6d62e	—	2026-05-22
FileHash-MD5	9bd788f285e32a05e6591d1eb36ebffc	—	2026-05-22
FileHash-MD5	9eaae9491f6a50d6df0be393734a44cb	—	2026-05-22
FileHash-MD5	a632858f14b36f03d0f213f5f5d6bff2	—	2026-05-22
FileHash-MD5	a75dbed984963b9ab21309c5b2f8fd9b	—	2026-05-22
FileHash-MD5	b4e183627b7399006c1bc47b3711e419	—	2026-05-22
FileHash-MD5	b6aae073e7bfebf4d643c2bbeb5c02e1	—	2026-05-22
FileHash-MD5	b8c753dd254509fba5077ffd5067eab0	—	2026-05-22
FileHash-MD5	ba9ce06641067742f2afc9691faff1dc	—	2026-05-22
FileHash-MD5	bbf1fa694122e07635deeac11ad712f8	—	2026-05-22
FileHash-MD5	bc3739dec8cd8f54f3f60a85f3ed600e	—	2026-05-22
FileHash-MD5	c0d1eaa15a2cefbab9735787575c8d8e	—	2026-05-22
FileHash-MD5	c5702eb250f855c8c872fffb9bb656ed	—	2026-05-22
FileHash-MD5	cc751619bfec0dc4607c17112b9e3b2c	—	2026-05-22
FileHash-MD5	d3c8afd22baa306ff659db1fac28574a	—	2026-05-22
FileHash-MD5	d5b38b252cf212a4a32763de36732d40	—	2026-05-22
FileHash-MD5	eba3bcdb19a7e256bf8e2cc5b9c1cca9	—	2026-05-22
FileHash-MD5	ec076cd21c483a40156f4e40d08daded	—	2026-05-22
FileHash-MD5	ed34f5a136fba4fdea976570faa33ed7	—	2026-05-22
FileHash-MD5	f301aa3d62b5095eec4d8e34201a4769	—	2026-05-22
FileHash-MD5	f42085522ec2ebb16edcf814e7c330ad	—	2026-05-22
FileHash-MD5	f56b31a4b47ad3365b18a7e922fba1a8	—	2026-05-22
FileHash-MD5	f6f62456fb0fcc396fb654cbed339bc3	—	2026-05-22
FileHash-MD5	f721a76deb28fd0b80d27fce6b8f5016	—	2026-05-22
FileHash-MD5	f9c3bbe108566d1a6b070f9c5fb03160	—	2026-05-22
FileHash-MD5	fb0f8027acf1b1e47e07a63d8812ed50	—	2026-05-22

References (1)

↗ https://securelist.com/cloud-atlas-2026/119895/