← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload
WHITE celestre 2026-05-25 Modified: 2026-05-25
115
IOCs
HIGH VOLUME
In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.
browser checkerreversesocksmalicious msofficedomainsips reversesshsocksmaliciousms office
Indicators of Compromise (2 / 115 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 51eed154b4cd5e949a709a26da673d925cabe1be SHA1 of f6f62456fb0fcc396fb654cbed339bc3 2026-05-25
FileHash-SHA1 a1e11a22eb07047a94de9a59a589178cbc78e1da SHA1 of fb0f8027acf1b1e47e07a63d8812ed50 2026-05-25
References (1)
↗ https://securelist.com/cloud-atlas-2026/119895/