ClickCease Cloud Atlas Phishing Attacks: Russian Companies Beware

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Cloud Atlas Phishing Attacks: Russian Companies Beware

Wajahat Raja

January 12, 2024 - TuxCare expert team

The landscape of cybersecurity threats 2024 presents unprecedented challenges, requiring a proactive and adaptive approach to safeguard digital ecosystems. This brings us to a recent cyber espionage incident. The famous hacker group identified as Cloud Atlas has set its sights on a Russian agro-industrial enterprise and a state-owned research company. These findings shed light on a new wave of spear-phishing attacks, the Cloud Atlas phishing attacks that are rapidly impacting Russian organizations.

A Prolific Threat Actor

Cloud Atlas Phishing attacks on Russian organizations
have now, more than ever, surged in complexity and frequency. Cloud Atlas, also recognized by aliases such as Clean Ursa, Inception, Oxygen, and Red October, has been an active cyber espionage group since at least 2014. Operating with an unknown origin, the threat actor is infamous for its persistent campaigns targeting nations like Russia, Belarus, Azerbaijan, Turkey, and Slovenia.

Cloud Atlas Phishing Attacks – The Methodology

Advanced Persistent Threats (APTs)
continue to pose a formidable challenge in the cybersecurity landscape. In December 2022, a joint report from Check Point and Positive Technologies outlined the multi-stage attack sequences orchestrated by Cloud Atlas. The campaign led to the deployment of a PowerShell-based backdoor known as PowerShower and DLL payloads capable of communicating with a server controlled by the threat actor.

The initial point of entry for the Cloud Atlas cyber espionage is a phishing message containing a lure document exploiting CVE-2017-11882, a six-year-old memory corruption flaw in Microsoft Office’s Equation Editor. This flaw kick-starts the execution of malicious payloads, a technique Cloud Atlas has employed as early as October 2018.

Email phishing In Corporate Environments

Unlike many other intrusion sets, Cloud Atlas refrains from using open-source implants in its recent campaigns, aiming to be less discernible. Kaspersky noted in August 2019 that the group’s massive spear-phishing campaigns persistently use simple yet effective methods to compromise its targets.

F.A.C.C.T. described the latest kill chain as akin to the one detailed by Positive Technologies, with the successful exploitation of CVE-2017-11882 via RTF template injection paving the way for shellcode. This shellcode is responsible for downloading and running an obfuscated HTA file. Notably, the malicious emails originate from popular Russian email services like Yandex Mail and VK’s

Cloud Atlas Hacking Techniques

Positive Technologies remarked on Cloud Atlas’s longevity and careful planning, emphasizing that the group’s toolkit has remained consistent for years. The group employs one-time payload requests and validates them, attempting to conceal its malware from researchers. 

By leveraging legitimate cloud storage and well-documented software features, especially in Microsoft Office, Cloud Atlas evades detection by network and file attack tools. This highlights the need for organizations to prioritize strategies and technologies aimed at protecting against state-sponsored cyber attacks.

A Growing Concern

This revelation coincides with the acknowledgment that at least 20 organizations in Russia have fallen victim to Decoy Dog, a modified version of Pupy RAT. This compromise is attributed to an advanced persistent threat actor known as Hellhounds. The actively maintained malware enables remote control of infected hosts. It includes a scriptlet designed to transmit telemetry data to an “automated” account on Mastodon with the name “Lamir Hasabat” (@lahat) on the Mindly.Social instance.

Security researchers have highlighted the malware’s continuous evolution to impede detection and analysis, both in traffic and in the file system, following the publication of materials on the initial version of Decoy Dog. As you see, Russian companies cyber threats have become increasingly sophisticated, posing a growing challenge to cybersecurity efforts.


Cloud Atlas APT group
operates with a level of sophistication that sets it apart in the world of cyber threats. As the cybersecurity landscape continues to evolve, staying vigilant against sophisticated threats like Cloud Atlas becomes imperative. Organizations must prioritize proactive cybersecurity measures against phishing, such as patching vulnerabilities and implementing robust security protocols, to thwart the advances of cyber adversaries.

In the face of these emerging cyber threats, using robust cybersecurity measures is paramount. Organizations need to bolster their cybersecurity posture and fortify their defenses against evolving threats like the Cloud Atlas phishing attacks.

The sources for this piece include articles in The Hacker News and The Record

Cloud Atlas Phishing Attacks: Russian Companies Beware
Article Name
Cloud Atlas Phishing Attacks: Russian Companies Beware
Protect your organization from Cloud Atlas phishing attacks. Gain insights on recent cyber threats targeting Russian companies.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter