The Cloud Atlas threat group, active since 2014, continues to pose a significant risk to organizations in Eastern Europe and Central Asia through sophisticated attacks leveraging legacy Microsoft Office vulnerabilities.
Security researchers have documented the group’s expanded arsenal and evolving infection chains deployed throughout the first half of 2025, revealing previously undescribed implants and attack methodologies.
Cloud Atlas initiates attacks through carefully crafted phishing emails containing malicious Word documents (DOC/DOCX attachments).
Upon opening, these documents trigger a cascading infection chain that exploits CVE-2018-0802, a vulnerability in the Microsoft Office Equation Editor process.
This seven-year-old flaw remains effective, highlighting the persistent risk posed by unpatched legacy systems in enterprise environments.
The exploitation process is methodical and deliberately hidden. When victims open the malicious document, a remote template is downloaded and processed.
The document, formatted as an RTF file, contains the actual exploit code that downloads and executes an HTML Application (HTA) file.
The attacker employs time-based and IP-based access restrictions on malicious file servers, making forensic analysis difficult and limiting exposure of their infrastructure.
Multi-Layered Malware Infrastructure
The initial HTA file serves as a staging mechanism, extracting and creating multiple VBS files that constitute the VBShower backdoor the group’s primary initial access tool.
VBShower then orchestrates the deployment of three additional backdoors: PowerShower, VBCloud, and CloudAtlas. This modular approach provides flexibility and redundancy in maintaining persistent access.
The infection flow largely mirrors the group’s 2024 attack patterns, though with incremental improvements and modifications to file naming conventions and execution methods.
VBShower has been enhanced to execute downloaded VB scripts regardless of payload size, removing previous restrictions that checked file dimensions before execution.
New payload components reveal the group’s expanded surveillance capabilities. VBShower payload variants collect detailed process information, including creation timestamps, process names, and command-line arguments.
Additional payloads perform systematic checks against cloud services including Yandex WebDAV and others, documenting accessibility and HTTP responses to identify viable command-and-control channels.
The group deploys sophisticated file-grabbing mechanisms across multiple backdoors. FileGrabber components scan systems for documents modified within the last 30 days, excluding system directories and allowed file names.
File size restrictions (between 1KB and 3MB) help the attackers prioritize data collection while avoiding detection through excessive data transfers.
CloudAtlas: The Advanced Persistent Backdoor
The CloudAtlas backdoor represents the group’s most sophisticated component, utilizing DLL hijacking attacks against legitimate applications.
The backdoor leverages the VLC media player as an unwitting loader, disguising malicious libraries as legitimate plugins.
Communication occurs through WebDAV protocol to cloud services, with encrypted beacons containing system information, usernames, and volume data.
Detailed technical indicators, YARA rules, and additional threat intelligence are available through the Kaspersky Intelligence Reporting Service for enterprise customers.
CloudAtlas plugins provide targeted functionality: FileGrabber steals documents from local disks, removable media, and network resources; InfoCollector gathers system and network configuration details; PasswordStealer extracts credentials from Chromium-based browsers using the Chrome App-Bound Encryption Decryption utility; and the Common Plugin executes arbitrary commands including registry manipulation and remote file execution.
Active campaigns in early 2025 have targeted organizations in Russia and Belarus across diverse sectors including telecommunications, construction, government agencies, and manufacturing plants.
The group’s decade-long operational history demonstrates remarkable persistence and adaptability in evolving their attack methodologies while maintaining operational effectiveness against high-value targets.
The continued effectiveness of CVE-2018-0802 underscores the critical importance of legacy system patching and application hardening.
Organizations should implement Office macro restrictions, email filtering for phishing indicators, and behavioral monitoring for VBS script execution.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.