The advanced persistent threat (APT) group known as Cloud Atlas has continued its sophisticated cyberespionage campaign throughout the first half of 2025, aggressively targeting organizations across Eastern Europe and Central Asia. This ongoing operation leverages critical vulnerabilities within outdated Microsoft Office software to deliver a multi-stage payload, ultimately enabling the group to establish persistent access and exfiltrate sensitive data. The group’s focus on exploiting well-known, yet unpatched, software highlights a persistent threat to organizations that delay security updates.
Cloud Atlas, an APT actor identified by security researchers since 2014, has demonstrated a consistent ability to refine its attack vectors and expand its technological capabilities. Evidence from the first half of 2025 indicates a coordinated effort to infiltrate high-value targets, employing a meticulously crafted infection chain that begins with deceptively simple phishing emails. These emails contain malicious documents, typically exploiting CVE-2018-0802, a vulnerability affecting the Microsoft Office Equation Editor component.
Infection Mechanism and Persistence Tactics of Cloud Atlas
According to analysis from Securelist, the initial infection vector involves users opening a Word document. This document contains a malicious template, served from attacker-controlled infrastructure, which then loads a rich text format (RTF) file. This RTF file carries an exploit for the Equation Editor vulnerability. Upon successful exploitation, the malware proceeds to download and execute an HTML Application file, marking the first stage of the infection chain. This initial payload is engineered to extract multiple Visual Basic Script (VBS) files onto the victim’s system.
These extracted VBS files lay the groundwork for the deployment of several backdoor implants. Prominent among these are VBShower, PowerShower, VBCloud, and CloudAtlas itself. Each component is designed to fulfill specific roles within the broader attack infrastructure, ranging from initial execution to advanced data exfiltration and command-and-control communication. The group’s operational security and technical sophistication are evident in the layered approach and the specialized functionalities of each malware component.
The VBShower backdoor serves as the primary launcher for subsequent payloads. It possesses the capability to execute downloaded VB scripts irrespective of their file size, offering flexibility to the attackers in deploying a variety of tools. Security researchers noted that VBShower frequently communicates with command servers to retrieve and execute additional scripts. These scripts can include specialized tools for exfiltrating files, enumerating system information, and harvesting credentials from compromised systems.
A critical component in Cloud Atlas’s operational framework is the VBCloud implant. This implant operates in conjunction with a launcher script, facilitating encrypted communication with the command server via cloud-based infrastructure. The launcher is designed to read encrypted payload data from local files, decrypt it using embedded RC4 keys, and then execute the decrypted content. Researchers highlighted that the use of the PRGA algorithm within the RC4 implementation is a technically nuanced choice, less common in typical malware, suggesting a higher degree of operational maturity and customization by the Cloud Atlas group.
To ensure long-term access, the malware employs Windows Task Scheduler for persistence. It creates scheduled tasks with names designed to mimic legitimate system services, such as “MicrosoftEdgeUpdateTask” and “MicrosoftVLCTaskMachine.” These tasks are configured to execute VBS scripts at regular intervals, ensuring that the malware remains active even after the system has been rebooted. File operations are carefully managed, leveraging directories like %Public% and %LOCALAPPDATA%. The malware establishes hidden infrastructure by using renamed files and encrypted payloads to avoid detection.
The final-stage backdoor, named CloudAtlas, establishes encrypted command channels by communicating through WebDAV protocols to cloud services, including platforms like OpenDrive. This method allows the malicious traffic to blend with legitimate cloud synchronization activities. The backdoor utilizes HTTP MKCOL methods to create directories and PROPFIND requests to retrieve payloads. Operators can deploy plugin modules to add specialized functionalities, such as file grabbing, password stealing from web browsers, and comprehensive system information collection. The FileGrabber plugin is particularly focused on documents with extensions like DOC, DOCX, XLS, XLSX, and PDF, while incorporating filters based on file size, modification date, and exclusion paths to optimize data collection.
The current campaign has been observed targeting a diverse range of sectors, including telecommunications, construction, various government entities, and industrial facilities across Russia and Belarus. Organizations within these regions face a significant and evolving threat from Cloud Atlas’s multi-stage infection process and its potent post-exploitation capabilities. The continuous refinement of their tools and tactics indicates that Cloud Atlas will likely continue to adapt its methods, posing an ongoing challenge for cybersecurity defenses in the targeted regions.