The Cloud Atlas advanced persistent threat group has continued its sophisticated campaign targeting organizations across Eastern Europe and Central Asia during the first half of 2025, leveraging outdated Microsoft Office vulnerabilities to deliver multiple backdoor implants.
This campaign reveals a coordinated effort to establish persistent access and extract sensitive data from high-value targets.
Cloud Atlas, a known threat actor since 2014, has demonstrated persistent operational activity by refining its attack methodology and expanding its toolkit.
The group’s infrastructure typically begins with phishing emails containing malicious documents that exploit CVE-2018-0802, a vulnerability in the Microsoft Office Equation Editor.
Once a victim opens the compromised file, a series of malware components are downloaded and executed in a carefully orchestrated infection chain.
.webp "Cloud Atlas Hacker Group Exploiting Office Vulnerabilities to Execute Malicious Code 2")
Securelist analysts identified that the infection process begins when users open a Word document containing a malicious template delivered from attacker-controlled servers.
The document loads an RTF file featuring an exploit for the Equation Editor, which then downloads and executes an HTML Application file.
This initial payload extracts multiple VBS files on the target system, establishing the foundation for deploying additional backdoors including VBShower, PowerShower, VBCloud, and CloudAtlas. Each component serves specific functions within the overall attack infrastructure.
The threat group’s arsenal demonstrates significant sophistication in evasion and persistence techniques.
The VBShower backdoor, which operates as the primary launcher component, can execute downloaded VB scripts regardless of file size, allowing operators to flexibly deploy various payloads.
Securelist researchers noted that the backdoor communicates with command servers to retrieve and execute additional scripts, including specialized tools designed for file exfiltration, system enumeration, and credential harvesting.
Infection Mechanism and Persistence Tactics
The VBCloud implant represents a critical component in Cloud Atlas’s operational capability. Operating alongside a launcher script, VBCloud maintains encrypted communication with the command server through cloud-based infrastructure.
The launcher reads encrypted payload data from local files, applies RC4 decryption with embedded keys, and executes the decrypted content.
.webp "Cloud Atlas Hacker Group Exploiting Office Vulnerabilities to Execute Malicious Code 4")
Notably, this implementation uses the PRGA algorithm within RC4, a technical choice relatively uncommon in malware, suggesting a higher level of operational maturity.
The persistence mechanism incorporates Windows Task Scheduler to maintain access across system reboots.
The malware creates scheduled tasks with names mimicking legitimate system services such as “MicrosoftEdgeUpdateTask” and “MicrosoftVLCTaskMachine”.
These tasks execute VBS scripts at regular intervals, ensuring the malware remains operational even after system restarts.
File operations involve careful use of the %Public% and %LOCALAPPDATA% directories, with the malware establishing hidden infrastructure through renamed files and encrypted payloads.
CloudAtlas, the final-stage backdoor, communicates through WebDAV protocols to cloud services including OpenDrive, establishing encrypted command channels that blend with legitimate cloud traffic.
The backdoor creates directories using HTTP MKCOL methods and retrieves payloads through PROPFIND requests.
Operators can deploy plugin modules for specialized functions, including file grabbing, password stealing from browsers, and system information collection.
The FileGrabber plugin targets documents with specific extensions such as DOC, DOCX, XLS, XLSX, and PDF, while filtering files based on size, modification date, and path exclusions.
The campaign demonstrates targeting of diverse sectors including telecommunications, construction, government entities, and industrial facilities throughout Russia and Belarus.
Organizations face significant risk from this sophisticated threat group’s multi-staged infection process and powerful post-exploitation capabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
