Cloud Atlas Activity in the Second Half of 2025 and Early 2026: New Tools and a New Payload

    Tuesday, May 26, 2026 In: Threat Research Print

    Date: 05/26/2026

    Severity: High

    Summary

    Pervasive SSH tunnel activity from 2025 persisted into 2026, targeting Russian and Belarusian entities.The cyberespionage group Cloud Atlas, active since 2014, is behind some of these attacks.Recent investigations revealed new tools and indicators of compromise linked to the group.They have resumed using malicious shortcut archives to launch PowerShell scripts.They also continue exploiting an old Equation Editor vulnerability ($CVE-2018-0802$) via malicious documents.Third-party utilities like Tor, SSH, and RevSocks are deployed to maintain backup control channels.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    tenkoff.org

    cloudguide.in

    goverru.com

    kufar.org

    ultimatecore.net

    spbnews.net

    onedrivesupport.net

    amerikastaj.com

    bigbang.me

    paleturquoise-dragonfly-364512.hostingersite.com

    wizzifi.com

    totallegacy.org

    mamurjor.com

    landscapeuganda.com

    lafortunaitalian.co.uk

    kommando.live

    internationalcommoditiesllc.com

    humanitas.si

    fishingflytackle.com

    firsai.tipshub.net

    alnakhlah.com.sa

    allgoodsdirect.com.au

    agenciakharis.com.br

    istochnik.org

    znews.neti

    investika-club.com

    IP Address : 

    194.102.104.207

    46.17.45.56

    46.17.45.49

    46.17.44.125

    46.17.44.212

    185.22.154.73

    194.87.196.163

    195.58.49.9

    93.125.114.193

    93.125.114.57

    45.87.219.116

    37.228.129.224

    185.53.179.136

    185.126.239.77

    5.181.21.75

    146.70.53.171

    45.15.65.134

    185.250.181.207

    81.30.105.71

    Hash : 

    7A95360B7E0EB5B107A3D231ABBC541A

    C0D1EAA15A2CEFBAB9735787575C8D8E

    D5B38B252CF212A4A32763DE36732D40

    3C75CEDB1196DF5EAB91F31411ED4B33

    42AC350BFBC5B4EB0FEDBA16C81919C7

    493B901D1B33EB577DB64AADD948F9CE

    2CABB721681455DAE1B6A26709DEF453

    1B39E86EB772A0E40060B672B7F574F1

    1D401D6E6FC0B00AAA2C65A0AC0CFD6B

    40A562B8600F843B717BC5951B2E3C29

    F721A76DEB28FD0B80D27FCE6B8F5016

    D3C8AFD22BAA306FF659DB1FAC28574A

    6D7B2D1172BBDB7340972D844F6F0717

    9769F43B9DE8D19E803263267FA6D62E

    63B6BE9AE8D8024A40B200CCCB438F1D

    6AA586BCC45CA2E92A4F0EF47E086FA1

    EBA3BCDB19A7E256BF8E2CC5B9C1CCA9

    B4E183627B7399006C1BC47B3711E419

    F56B31A4B47AD3365B18A7E922FBA1A8

    F6F62456FB0FCC396FB654CBED339BC3

    25C8ED0511375DCA57EF136AC3FA0CCA

    5329F7BFF9D0D5DB28821B86C26D628F

    2B4BA4FACF8C299749771A3A4369782E

    BA9CE06641067742F2AFC9691FAFF1DC

    FB0F8027ACF1B1E47E07A63D8812ED50

    BBF1FA694122E07635DEEAC11AD712F8

    F301AA3D62B5095EEC4D8E34201A4769

    F9C3BBE108566D1A6B070F9C5FB03160

    369B75BDCDED16469EDE7AB8BEDCFAE1

    9EAAE9491F6A50D6DF0BE393734A44CB

    3E6E9DF00A764B348EC611EE8504ACA0

    9BD788F285E32A05E6591D1EB36EBFFC

    F42085522EC2EBB16EDCF814E7C330AD

    2042EB5D52F0B535A1CE6B6F954C8C2B

    2AA1E9765EF6B00B94A9B6BE0041436A

    36120F5E9411BCBAC7104EF3FA964ED2

    5000A353399500BC78381DC95B6ED2DC

    579A9952D31CAD801A3988DBE7914CE7

    867B634588C0FD6B26684D502C15AB03

    38FA4306FA4406BA31CF171AF4D36E34

    83EDDE9F7EEEFAC0363413972F35572B

    CC751619BFEC0DC4607C17112B9E3B2C

    A632858F14B36F03D0F213F5F5D6BFF2

    097CA205AD9E3B72018750280904718C

    69121C36EB8BF77962DCA825FCFFD873

    C5702EB250F855C8C872FFFB9BB656ED

    ED34F5A136FBA4FDEA976570FAA33ED7

    0577DB70844E88B32B954906E2F20798

    28ECF8FB6719E14231B94B4D37629B0E

    0857C84B62289A1A9F29E19244E9A499

    0C514E137860F489E3801213460EF938

    50568B1F9335A7E3BA4E5DF035A8FB86

    7F776AD200287D6DE14A29158C457179

    51F7F794ED43FB90D0F8EBBB5EFFE628

    B8C753DD254509FBA5077FFD5067EAB0

    BC3739DEC8CD8F54F3F60A85F3ED600E

    EC076CD21C483A40156F4E40D08DADED

    216CB7F31D383C0DD892B284DF05A495

    116F59E70A9DF97F4ADAEA71EECB1E9A

    7242AC065B50BCDE9308756B49DBADCB

    8158552950D2E13B075001CE0C52AA97

    A75DBED984963B9AB21309C5B2F8FD9B

    0320DD389FDBAB25D46792BD2817675E

    5339D1A666F3E40FE756505CF1D87D4B

    67D7E3AEEB673BF60C59361C12A4ED81

    89572F0ED20791A5AC9FC4267D67CCB0

    B6AAE073E7BFEBF4D643C2BBEB5C02E1

    344CA9EA07CD4AC90EF27F8890D4EC05

    Filename : 

    WriteToSchedulerKillSSH.vbs

    Create_task_day.vbs

    WriteToSchedulerGenerateKey.vbs

    C:\Windows\INF\Run.vbs

    c:\Windows\INF\install.vbs

    Update.vbs

    c:\Windows\PLA\System\Gen.vbs

    C:\Windows\INF\GenK.vbs

    c:\Windows\PLA\System\Kill.vbs

    c:\Windows\PLA\System\Run.vbs

    c:\Windows\ime\imejp\Asset.exe

    c:\Windows\PLA\System\conhosts.exe

    c:\Windows\INF\BITS\esentprf.exe

    c:\Windows\INF\MSDTC\RuntimeBrokers.exe

    c:\Windows\inf\diagnostic.exe

    C:\Windows\PLA\System\bounce.exe

    C:\ProgramData\hp\client.exe

    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe

    C:\Windows\Resources\Update\Intel.exe

    C:\Windows\INF\package.exe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "lafortunaitalian.co.uk" or url like "lafortunaitalian.co.uk" or siteurl like "lafortunaitalian.co.uk" or domainname like "mamurjor.com" or url like "mamurjor.com" or siteurl like "mamurjor.com" or domainname like "bigbang.me" or url like "bigbang.me" or siteurl like "bigbang.me" or domainname like "paleturquoise-dragonfly-364512.hostingersite.com" or url like "paleturquoise-dragonfly-364512.hostingersite.com" or siteurl like "paleturquoise-dragonfly-364512.hostingersite.com" or domainname like "goverru.com" or url like "goverru.com" or siteurl like "goverru.com" or domainname like "ultimatecore.net" or url like "ultimatecore.net" or siteurl like "ultimatecore.net" or domainname like "agenciakharis.com.br" or url like "agenciakharis.com.br" or siteurl like "agenciakharis.com.br" or domainname like "istochnik.org" or url like "istochnik.org" or siteurl like "istochnik.org" or domainname like "investika-club.com" or url like "investika-club.com" or siteurl like "investika-club.com" or domainname like "onedrivesupport.net" or url like "onedrivesupport.net" or siteurl like "onedrivesupport.net" or domainname like "amerikastaj.com" or url like "amerikastaj.com" or siteurl like "amerikastaj.com" or domainname like "kufar.org" or url like "kufar.org" or siteurl like "kufar.org" or domainname like "humanitas.si" or url like "humanitas.si" or siteurl like "humanitas.si" or domainname like "totallegacy.org" or url like "totallegacy.org" or siteurl like "totallegacy.org" or domainname like "kommando.live" or url like "kommando.live" or siteurl like "kommando.live" or domainname like "internationalcommoditiesllc.com" or url like "internationalcommoditiesllc.com" or siteurl like "internationalcommoditiesllc.com" or domainname like "firsai.tipshub.net" or url like "firsai.tipshub.net" or siteurl like "firsai.tipshub.net" or domainname like "cloudguide.in" or url like "cloudguide.in" or siteurl like "cloudguide.in" or domainname like "tenkoff.org" or url like "tenkoff.org" or siteurl like "tenkoff.org" or domainname like "fishingflytackle.com" or url like "fishingflytackle.com" or siteurl like "fishingflytackle.com" or domainname like "allgoodsdirect.com.au" or url like "allgoodsdirect.com.au" or siteurl like "allgoodsdirect.com.au" or domainname like "landscapeuganda.com" or url like "landscapeuganda.com" or siteurl like "landscapeuganda.com" or domainname like "wizzifi.com" or url like "wizzifi.com" or siteurl like "wizzifi.com" or domainname like "spbnews.net" or url like "spbnews.net" or siteurl like "spbnews.net" or domainname like "alnakhlah.com.sa" or url like "alnakhlah.com.sa" or siteurl like "alnakhlah.com.sa" or domainname like "znews.neti" or url like "znews.neti" or siteurl like "znews.neti"

    Detection Query 2 :

    dstipaddress IN ("185.53.179.136","46.17.44.212","185.22.154.73","195.58.49.9","46.17.44.125","81.30.105.71","194.102.104.207","37.228.129.224","5.181.21.75","146.70.53.171","46.17.45.56","46.17.45.49","194.87.196.163","93.125.114.193","93.125.114.57","45.87.219.116","185.126.239.77","45.15.65.134","185.250.181.207") or srcipaddress IN ("185.53.179.136","46.17.44.212","185.22.154.73","195.58.49.9","46.17.44.125","81.30.105.71","194.102.104.207","37.228.129.224","5.181.21.75","146.70.53.171","46.17.45.56","46.17.45.49","194.87.196.163","93.125.114.193","93.125.114.57","45.87.219.116","185.126.239.77","45.15.65.134","185.250.181.207")

    Detection Query 3 :

    md5hash IN ("BA9CE06641067742F2AFC9691FAFF1DC","FB0F8027ACF1B1E47E07A63D8812ED50","F6F62456FB0FCC396FB654CBED339BC3","0577DB70844E88B32B954906E2F20798","C0D1EAA15A2CEFBAB9735787575C8D8E","2042EB5D52F0B535A1CE6B6F954C8C2B","7A95360B7E0EB5B107A3D231ABBC541A","D5B38B252CF212A4A32763DE36732D40","3C75CEDB1196DF5EAB91F31411ED4B33","42AC350BFBC5B4EB0FEDBA16C81919C7","493B901D1B33EB577DB64AADD948F9CE","2CABB721681455DAE1B6A26709DEF453","1B39E86EB772A0E40060B672B7F574F1","1D401D6E6FC0B00AAA2C65A0AC0CFD6B","40A562B8600F843B717BC5951B2E3C29","F721A76DEB28FD0B80D27FCE6B8F5016","D3C8AFD22BAA306FF659DB1FAC28574A","6D7B2D1172BBDB7340972D844F6F0717","9769F43B9DE8D19E803263267FA6D62E","63B6BE9AE8D8024A40B200CCCB438F1D","6AA586BCC45CA2E92A4F0EF47E086FA1","EBA3BCDB19A7E256BF8E2CC5B9C1CCA9","B4E183627B7399006C1BC47B3711E419","F56B31A4B47AD3365B18A7E922FBA1A8","25C8ED0511375DCA57EF136AC3FA0CCA","5329F7BFF9D0D5DB28821B86C26D628F","2B4BA4FACF8C299749771A3A4369782E","BBF1FA694122E07635DEEAC11AD712F8","F301AA3D62B5095EEC4D8E34201A4769","F9C3BBE108566D1A6B070F9C5FB03160","369B75BDCDED16469EDE7AB8BEDCFAE1","9EAAE9491F6A50D6DF0BE393734A44CB","3E6E9DF00A764B348EC611EE8504ACA0","9BD788F285E32A05E6591D1EB36EBFFC","F42085522EC2EBB16EDCF814E7C330AD","2AA1E9765EF6B00B94A9B6BE0041436A","36120F5E9411BCBAC7104EF3FA964ED2","5000A353399500BC78381DC95B6ED2DC","579A9952D31CAD801A3988DBE7914CE7","867B634588C0FD6B26684D502C15AB03","38FA4306FA4406BA31CF171AF4D36E34","83EDDE9F7EEEFAC0363413972F35572B","CC751619BFEC0DC4607C17112B9E3B2C","A632858F14B36F03D0F213F5F5D6BFF2","097CA205AD9E3B72018750280904718C","69121C36EB8BF77962DCA825FCFFD873","C5702EB250F855C8C872FFFB9BB656ED","ED34F5A136FBA4FDEA976570FAA33ED7","28ECF8FB6719E14231B94B4D37629B0E","0857C84B62289A1A9F29E19244E9A499","0C514E137860F489E3801213460EF938","50568B1F9335A7E3BA4E5DF035A8FB86","7F776AD200287D6DE14A29158C457179","51F7F794ED43FB90D0F8EBBB5EFFE628","B8C753DD254509FBA5077FFD5067EAB0","BC3739DEC8CD8F54F3F60A85F3ED600E","EC076CD21C483A40156F4E40D08DADED","216CB7F31D383C0DD892B284DF05A495","116F59E70A9DF97F4ADAEA71EECB1E9A","7242AC065B50BCDE9308756B49DBADCB","8158552950D2E13B075001CE0C52AA97","A75DBED984963B9AB21309C5B2F8FD9B","0320DD389FDBAB25D46792BD2817675E","5339D1A666F3E40FE756505CF1D87D4B","67D7E3AEEB673BF60C59361C12A4ED81","89572F0ED20791A5AC9FC4267D67CCB0","B6AAE073E7BFEBF4D643C2BBEB5C02E1","344CA9EA07CD4AC90EF27F8890D4EC05")

    Detection Query 4 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname In ("WriteToSchedulerKillSSH.vbs","Create_task_day.vbs","WriteToSchedulerGenerateKey.vbs","C:\Windows\INF\Run.vbs","c:\Windows\INF\install.vbs","Update.vbs","c:\Windows\PLA\System\Gen.vbs","C:\Windows\INF\GenK.vbs","c:\Windows\PLA\System\Kill.vbs","c:\Windows\PLA\System\Run.vbs","c:\Windows\ime\imejp\Asset.exe","c:\Windows\PLA\System\conhosts.exe","c:\Windows\INF\BITS\esentprf.exe","c:\Windows\INF\MSDTC\RuntimeBrokers.exe","c:\Windows\inf\diagnostic.exe","C:\Windows\PLA\System\bounce.exe","C:\ProgramData\hp\client.exe","C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe","C:\Windows\Resources\Update\Intel.exe","C:\Windows\INF\package.exe")

    Detection Query 5 :

    technologygroup = "EDR" and objectname In ("WriteToSchedulerKillSSH.vbs","Create_task_day.vbs","WriteToSchedulerGenerateKey.vbs","C:\Windows\INF\Run.vbs","c:\Windows\INF\install.vbs","Update.vbs","c:\Windows\PLA\System\Gen.vbs","C:\Windows\INF\GenK.vbs","c:\Windows\PLA\System\Kill.vbs","c:\Windows\PLA\System\Run.vbs","c:\Windows\ime\imejp\Asset.exe","c:\Windows\PLA\System\conhosts.exe","c:\Windows\INF\BITS\esentprf.exe","c:\Windows\INF\MSDTC\RuntimeBrokers.exe","c:\Windows\inf\diagnostic.exe","C:\Windows\PLA\System\bounce.exe","C:\ProgramData\hp\client.exe","C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe","C:\Windows\Resources\Update\Intel.exe","C:\Windows\INF\package.exe")

    Reference:    

    https://securelist.com/cloud-atlas-2026/119895/                     


    Tags

    Threat ActorVulnerabilityCVE-2018BelarusRussiaExploitTORCyber Espionage

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.