In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014 . During our investigation, we identified new tools used by this group, as well as indicators of compromise. The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process ( CVE-2018-0802 ) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels. Technical details Initial infection As for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment. Malware execution flow Attackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut: Example of the PowerShell script downloaded and executed by the shortcut: Example of the PowerShell script downloaded by the shortcut Actions performed by the downloaded PowerShell: Step Action Description 1 Drops “$temp\fixed.ps1” Pre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability. 2 Creates “Run” registry key “YandexBrowser_setup” for “$temp\fixed.ps1” startup Early persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically. 3 Downloads and drops “$temp\rar.zip” Extracts “*.pdf” from the downloaded “$temp\rar.zip” Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase. 4 Extracts “*.pdf” from the downloaded “$temp\rar.zip” Decoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction. 6 Opens extracted decoy document “*.pdf” with user’s default software User distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30–120 seconds for background operations. 6 Executes “taskkill.exe /F /Im winrar.exe” Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity. 7 Searches and deletes “rar.zip”, “*.pdf.zip” and “*.pdf.lnk” Anti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation. 8 Executes “$temp\fixed.ps1” Controlled execution: launches the main payload only after persistence is secured, the user is distracted, and access traces are cleaned up. Fixed.ps1 (loader) The primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower. Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack. Fixed.ps1::Payload (VBCloud dropper) Example of the fixed.ps1::Payload (VBCloud dropper) This module functions as a dropper for the VBCloud backdoor. It drops two files onto the infected machine: video.vbs: the loader of the backdoor,VBCloud::Launcher. This is a VBScript that decrypts the contents of video.mds (typically using RC4 with a hardcoded key) and executes it in memory. video.mds: the encrypted body of the backdoor, VBCloud::Backdoor. This is the main module that connects to a C2 server to receive additional scripts or execute built-in commands. This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them. Fixed.ps1::Payload (PowerShower) This module installs a second backdoor called PowerShower on the system. We don’t have the specific script that performs this installation, but we assume it’s performed by a script similar to fixed.ps1::Payload (VBCloud dropper). Unlike VBCloud, which focuses on file theft, PowerShower is primarily used for network reconnaissance and lateral movement within the victim’s infrastructure. PowerShower can perform the following tasks : Collect information about running processes, administrator groups, and domain controllers. Download and execute PowerShell scripts from the C2 server. Conduct “Kerberoasting” attacks (stealing password hashes of Active Directory accounts). PowerShower is dropped onto the system via the path ‘C:\Users\[username]\Pictures\googleearth.ps1’. Contents of the googleearth.ps1(PowerShower) PowerShower::Payload (credential grabber) PowerShower downloads an additional script for stealing credentials. It performs the following actions: Creates a Volume Shadow Copy of the C:\ drive. Copies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files. The script is launched in several stages. To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility). This allows PowerShell to run as an administrator without directly prompting the user, which could otherwise raise suspicion. The full launch chain looks like this: The full Base64-decoded script is given below. Multi-user RDP by patching termsrv.dll Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247): The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file. Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules. By default, Windows limits the number of simultaneous RDP sessions. Removing this restriction allows attackers to operate on the machine in the background without disconnecting the legitimate user, thereby reducing the likelihood of detection. At first, the script enables RDP on the firewall and downgrades the RDP security settings: Before modifying termsrv.dll, the script takes ownership and assigns itself full permissions. Then the script finds the sequence of bytes 39 81 3C 06 00 00 ?? ?? ?? ?? ?? ?? and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90 . After these manipulations, the script restarts the RDP service. Example of script The patched version allows multiple concurrent logins so attackers can stay connected without disrupting the legitimate user, thereby reducing suspicion. Reverse SSH tunneling As mentioned above, during this wave of attacks, the adversaries widely deployed reverse SSH tunnels to many hosts of interest. The compromised machine initiates an SSH connection to an attacker-controlled server, which allows attackers to bypass standard firewall rules via establishing outbound connections. That way, even if the primary backdoor is discovered, the attackers can maintain control through the SSH tunnel. To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec. We’ve seen three types of scripts: Gen.vbs (WriteToSchedulerGenerateKey.vbs) generates key for SSH tunnel. Run.vbs (WriteToSchedulerRunSSH.vbs) runs reverse SSH tunnel. Kill.vbs (WriteToSchedulerKillSSH.vbs) stops reverse SSH tunnel via taskkill.exe. To achieve persistence, the attackers added a new scheduled task in Windows: In some cases, before establishing a reverse SSH tunnel, attackers set new access permissions to the folder containing the private key to prevent the legitimate user or system administrators from easily accessing or modifying it: Patched OpenSSH Some OpenSSH binaries used by the attackers had their imports modified. Instead of libcrypto.dll, the SSH executable imports syruntime.dll, which was placed in the same folder as the binary. This was likely done to evade detection and ensure stealth. In addition, we found a portable version of OpenSSH, presumably compiled by the adversaries: RevSocks In addition to Reverse SSH tunnels, the attackers installed RevSocks using the same infrastructure. RevSocks is an alternative tool to SSH for establishing tunnels and proxy connections, written in Golang. This tool allows direct connection to workstations on the local network. It also allows attackers to gain access to other segments of the victim’s network by using the machine as a gateway. In some cases, C2 addresses were hardcoded into the binary; in other cases, the C2 was passed in command line arguments. There were also reverse SOCKS samples with hardcoded C2 addresses: Tor tunneling To maintain control over the compromised host, the Tor network was used in some cases. A minimal set of a Tor executable and configuration files, necessary for launching HiddenService, was copied to the system directories of infected devices. The name of the Tor Browser executable file was modified. As a result, the infected machine was accessible via RDP from the Tor network when accessing the generated .onion domain. Below is an example of a configuration file for routing connections from Tor to RDP ports on the local network, as well as example command lines for logging into Tor. Example of TOR configuration file PowerCloud We analyzed a new Cloud Atlas tool, PowerCloud. It collects user data with administrator privileges and writes this information to Google Sheets in Base64 format. The tool represents an obfuscated PowerShell script. In most cases, it is packaged into an executable file using the PS2EXE utility, but we have also encountered variants in the form of a separate PowerShell script. To find administrators on the victim host, the tool executes the following command: This information is appended with the computer name and current date, the data is encoded in base64, and then the collected data is added to an existing Google Sheet. PowerCloud script Browser checker Additionally, the attackers used another PowerShell script (MD5 5329F7BFF9D0D5DB28821B86C26D628F), compiled into an executable file via PS2EXE, which checks whether browser processes (Chrome, Edge, Firefox, and other) are running. This helps detect when the user is working on the computer. This can be used to choose the optimal time for conducting attacks (for example, when the user is away but their browser is still open) or simply to gather information about the victim’s habits. The information about running browsers is written to a log file on the local host. Fragment of the deobfuscated script Victims According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus. The targeted industries mostly include government agencies and diplomatic entities. We attribute the activity described in this report to the Cloud Atlas APT group with a high degree of confidence. The group used techniques and tools described previously, such as the initial access vector, the Python script for information gathering, and the Tor application for forwarding ports to the Tor network. The victim profile and geography also matches the Cloud Atlas targets. We couldn’t help but notice some parallels with recent Head Mare activity. The PhantomHeart backdoor ( available in Russian only ), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas: C:\Windows\ime C:\Windows\System32\ime C:\Windows\pla C:\Windows\inf C:\Windows\migration C:\Windows\System32\timecontrolsvc C:\Windows\SKB However, TTPs are still differentiated. Conclusion For more than ten years, the Cloud Atlas group has continued its activities and expanded its arsenal. Over the course of last year, many targeted campaigns in general were found to employ ReverseSocks, SSH and Tor, and the use of these utilities was no exception for Cloud Atlas. Creating such backup control channels using publicly available utilities significantly complicates the complete disruption of attackers’ actions on compromised systems. We will continue to closely monitor the group’s activity and describe their new tools and techniques. Indicators of compromise PowerCloud 7A95360B7E0EB5B107A3D231ABBC541A C:\Windows\wininet.exe C0D1EAA15A2CEFBAB9735787575C8D8E C:\Windows\LiveKernelReports\update.exe D5B38B252CF212A4A32763DE36732D40 C:\Windows\ime\imejp\dicts\i39884.exe 3C75CEDB1196DF5EAB91F31411ED4B33 C:\pla\reports.exe 42AC350BFBC5B4EB0FEDBA16C81919C7 C:\ProgramData\update_[redacted].exe 493B901D1B33EB577DB64AADD948F9CE C:\Windows\migration\wtr\MicrosoftBrowser.exe 2CABB721681455DAE1B6A26709DEF453 C:\Windows\pla\reports\winlog.exe 1B39E86EB772A0E40060B672B7F574F1 C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe 1D401D6E6FC0B00AAA2C65A0AC0CFD6B C:\Windows\setup\scripts\install\software\activation\aact\dfsvc.exe 40A562B8600F843B717BC5951B2E3C29 C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016 C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1 C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9 C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419 C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8 dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3 – 25C8ED0511375DCA57EF136AC3FA0CCA C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50 C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8 C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769 C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160 C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe