Cloud Atlas APT Targets Russia and Belarus with New Tools and Techniques

Cloud Atlas APT Targets Russia and Belarus with New Tools and Techniques

First seen 23 May 2026, 11:25 UTC SecurelistTechnadumsrc.microsoft.com 90% similarity 75.5

Article Content

Browse articles
ThreatCluster

Cloud Atlas, an advanced persistent threat group, has intensified its cyberespionage activities against government and commercial entities in Russia and Belarus since late 2025. The group employs phishing emails containing ZIP archives with malicious LNK files to initiate attacks, exploiting CVE-2018-0802 to execute malicious PowerShell scripts. Recent investigations revealed the introduction of a new tool called PowerCloud, which collects user data and sends it to Google Sheets. Established tools like the VBCloud dropper and PowerShower backdoor are also utilized for persistence and reconnaissance. The attackers have been observed using SSH tunnels and other utilities to maintain control over compromised systems. The ongoing campaigns have primarily targeted government agencies and diplomatic entities, raising significant concerns about national security. As of May 2026, these activities are still active and evolving.

Key Points: • Cloud Atlas targets government and commercial sectors in Russia and Belarus. • Phishing emails with malicious LNK files are the primary attack vector. • New tool PowerCloud collects user data and sends it to Google Sheets.

ThreatCluster AI

Timeline

2025-11-03
CVE-2018-0802 added to CISA KEV
CISA added CVE-2018-0802, a vulnerability in Microsoft Office, to its Known Exploited Vulnerabilities catalog due to active exploitation.
Securelist
2025-12-01
Cloud Atlas uses VBShower backdoor
Kaspersky reported that Cloud Atlas began using the VBShower backdoor as a loader in their cyberespionage campaigns.
Technadu
2026-05-22
New tools identified in Cloud Atlas campaigns
Securelist reported the identification of new tools and techniques used by Cloud Atlas, including PowerCloud and updated malware payloads.
Securelist
2026-05-23
Ongoing cyberespionage activities reported
Technadu confirmed that Cloud Atlas continues to target Russian and Belarusian entities with sophisticated phishing and malware techniques.
Technadu

Community

Browse all →