{ "type": "MD5", "indicator": "ec076cd21c483a40156f4e40d08daded", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "ec076cd21c483a40156f4e40d08daded", "validation": [], "base_indicator": { "id": 4372261516, "indicator": "ec076cd21c483a40156f4e40d08daded", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a105530af26afbd3752ab81", "name": "Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.", "modified": "2026-05-25T09:47:41.792000", "created": "2026-05-22T13:08:00.327000", "tags": [ "vbcloud", "netsupport rat", "powershower", "reversesocks", "phantomheart", "valleyrat", "powercloud", "cloud atlas" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "Inception Framework", "targeted_countries": [ "Belarus", "Russian Federation" ], "malware_families": [ { "id": "PowerCloud", "display_name": "PowerCloud", "target": null }, { "id": "VBCloud", "display_name": "VBCloud", "target": null }, { "id": "PowerShower - S0441", "display_name": "PowerShower - S0441", "target": null }, { "id": "ReverseSocks", "display_name": "ReverseSocks", "target": null }, { "id": "PhantomHeart", "display_name": "PhantomHeart", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 69, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 15, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 386451, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a13b8f328162aab88d30ffa", "name": "IOC - Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.", "modified": "2026-05-25T02:50:27.951000", "created": "2026-05-25T02:50:27.951000", "tags": [ "browser checker", "reversesocks", "malicious ms", "office", "domains", "ips reverse", "sshsocks", "malicious", "ms office" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 68, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 19, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "related": { "alienvault": { "adversary": [ "Inception Framework" ], "malware_families": [ "Phantomheart", "Valleyrat", "Abcdoor", "Vbcloud", "Powershower - s0441", "Netsupport rat", "Powercloud", "Reversesocks" ], "industries": [ "Government" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a105530af26afbd3752ab81", "name": "Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.", "modified": "2026-05-25T09:47:41.792000", "created": "2026-05-22T13:08:00.327000", "tags": [ "vbcloud", "netsupport rat", "powershower", "reversesocks", "phantomheart", "valleyrat", "powercloud", "cloud atlas" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "Inception Framework", "targeted_countries": [ "Belarus", "Russian Federation" ], "malware_families": [ { "id": "PowerCloud", "display_name": "PowerCloud", "target": null }, { "id": "VBCloud", "display_name": "VBCloud", "target": null }, { "id": "PowerShower - S0441", "display_name": "PowerShower - S0441", "target": null }, { "id": "ReverseSocks", "display_name": "ReverseSocks", "target": null }, { "id": "PhantomHeart", "display_name": "PhantomHeart", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 69, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 15, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 386451, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a13b8f328162aab88d30ffa", "name": "IOC - Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.", "modified": "2026-05-25T02:50:27.951000", "created": "2026-05-25T02:50:27.951000", "tags": [ "browser checker", "reversesocks", "malicious ms", "office", "domains", "ips reverse", "sshsocks", "malicious", "ms office" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 68, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 19, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ec076cd21c483a40156f4e40d08daded", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "ec076cd21c483a40156f4e40d08daded", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780173739.047933 }