HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

APT Cloud Atlas Deploys New PowerShell LNK Campaign and Persistent SSH Tunnels Targeting Russian and Belarusian Entities (2025‑2026)

Cloud Atlas resumed phishing attacks in late 2025, delivering malicious LNK shortcuts that execute PowerShell loaders, install persistence, and harvest credentials. The group also uses Tor and reverse‑SSH tunnels to maintain covert C2, affecting government and commercial organizations in Russia and Belarus—raising third‑party risk for any supply‑chain partner in the region.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 securelist.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securelist.com

APT Cloud Atlas Deploys New PowerShell LNK Campaign and Persistent SSH Tunnels Targeting Russian and Belarusian Entities (2025‑2026)

What Happened — Cloud Atlas resumed large‑scale phishing campaigns in H2 2025 and Q1 2026, delivering ZIP archives that contain malicious LNK shortcuts. The shortcuts launch PowerShell loaders which drop a second‑stage VBCloud/PowerShower payload, install persistence via a Run‑registry key, and ultimately harvest credentials. The group also leverages third‑party utilities (Tor, OpenSSH, RevSocks) to establish redundant reverse‑SSH tunnels for long‑term command‑and‑control.

Why It Matters for TPRM

  • The use of publicly available tunneling tools makes detection difficult for downstream vendors that rely on network‑traffic baselines.
  • Credential‑grabber payloads can be repurposed to compromise SaaS accounts, exposing third‑party data stores.
  • Ongoing activity against government and commercial entities in Russia/Belarus indicates a sustained supply‑chain risk for any organization that outsources services to providers in those regions.

Who Is Affected — Government agencies, critical infrastructure operators, and commercial enterprises (especially those with Russian or Belarusian supply‑chain links).

Recommended Actions

  • Review any third‑party relationships that involve data processing or remote‑access services in the affected regions.
  • Enforce strict LNK‑file handling policies; block execution of PowerShell scripts from external URLs.
  • Deploy network‑level monitoring for anomalous SSH/ Tor traffic and enforce multi‑factor authentication for privileged accounts.

Technical Notes — Initial infection via phishing‑email ZIP → LNK shortcut → PowerShell loader (fixed.ps1). Loader drops payload, creates YandexBrowser_setup Run key, extracts decoy PDFs, and runs a credential‑stealing module. Post‑exploitation includes patched termsrv.dll for multi‑user RDP, reverse SSH tunneling via OpenSSH, RevSocks, and Tor. The campaign also re‑uses the legacy CVE‑2018‑0802 Office Equation Editor exploit for document‑based delivery. Source: SecureList – Cloud Atlas 2026

📰 Original Source
https://securelist.com/cloud-atlas-2026/119895/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →