Cloud Atlas APT Targets Russia and Belarus Government and Diplomatic Entities with PowerCloud Tool
Published
Key Takeaways
- Targeted attack geographies: Cloud Atlas affects government and commercial entities in Russia and Belarus.
- Initial infection vectors: Attackers utilize phishing emails containing LNK files and CVE-2018-0802 exploits.
- Novel PowerCloud tool: The malware exfiltrates administrator data directly into Google Sheets.
Researchers attributed a significant portion of Pervasive SSH tunnel activity targeting Russia and Belarus with cyberespionage to Cloud Atlas, an advanced persistent threat (APT) group tracked since 2014. In late 2025 and early 2026, the targeted industries primarily comprised government agencies and diplomatic entities in these regions.
Infection Vectors and Established Toolsets
To breach networks, Cloud Atlas utilizes phishing emails containing ZIP archives with LNK files. Additionally, the group leverages malicious documents designed to exploit CVE-2018-0802, a vulnerability in the Microsoft Office Equation Editor process, a Kaspersky report says.
Following the initial compromise, the threat actors deploy established tools such as the VBCloud dropper and the PowerShower backdoor for persistence and reconnaissance.
During recent investigations, Kaspersky researchers identified a new tool in the Cloud Atlas arsenal named PowerCloud. This utility collects user data utilizing administrator privileges and subsequently writes this harvested information to Google Sheets encoded in Base64 format.
The group established redundant backup control channels using ReverseSocks, SSH, and Tor across many targeted campaigns over the previous year.
Head Mare Association
While Kaspersky noted specific infrastructure parallels between this campaign and recent Head Mare activity, such as the use of the PhantomHeart backdoor to create an SSH tunnel, researchers state that the underlying tactics, techniques, and procedures (TTPs) remain distinctly differentiated.
Kaspersky’s December 2025 analysis observed that the cyberespionage group started using the VBShower backdoor as the loader and VBCloud as a new module in their attacks.
April Democratic People's Republic of Korea (DPRK) cyber campaigns utilized malicious LNK files containing encoded PowerShell scripts to infiltrate systems and deploy decoy PDF documents.
In March, the pro-Ukrainian Bearlyfy Ransomware group attacked Russian companies.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular