top of page
  • Clipeus

Cloud Atlas Targets Russia

According to the Russian cybersecurity company F.A.C.C.T. (a spinout of the Singapore-based Group-IB), Russian agro-industrial and state-owned research organizations have been targeted in a phishing scheme presenting the following characteristics:

  • Leveraging popular Russian email providers for registration of phishing email addresses, including yandex[.]ru and mail[.]ru.

  • Malicious attachments included rich text format (RTF) files presenting lure themes consistent with the military recruitment and the Special Volunteer Organization involved in supplying manpower for the Russian invasion of Ukraine.

  • The phishing emails present exploits downloading and executing a malicious HTML application (HTA). The latter is responsible for enabling exploitation of CVE-2017-11822, an old Microsoft Office vulnerability which enables a potential malicious attacker to download arbitrary files to the compromised machine without further user interaction. The same vulnerability has been recently reported in connection to distribution of the Agent Tesla trojan

  • The HTA downloads from a remote server malicious visual basic scripts.

  • The attack enables typical espionage-like capabilities including keylogging and data exfiltration based on prior reports concerning Cloud Atlas.

Cloud Atlas has been active since 2014 and is an advanced persistent threat (APT) consistent with a polymorphous malware that has been historically employed to target government and financial organizations in Russia, Belarus, Turkey, Azerbaijan and Slovenia. However, there have been reports of events across North Africa, Middle East, Asia and the United States as well. Cloud Atlas is generally presented as a non-state-sponsored APT. However, the modus operandi and the victimology may be linked to an unknown government.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page