APT Cloud Atlas Deploys New PowerShell LNK Campaign and Persistent SSH Tunnels Targeting Russian and Belarusian Entities (2025‑2026)
What Happened — Cloud Atlas resumed large‑scale phishing campaigns in H2 2025 and Q1 2026, delivering ZIP archives that contain malicious LNK shortcuts. The shortcuts launch PowerShell loaders which drop a second‑stage VBCloud/PowerShower payload, install persistence via a Run‑registry key, and ultimately harvest credentials. The group also leverages third‑party utilities (Tor, OpenSSH, RevSocks) to establish redundant reverse‑SSH tunnels for long‑term command‑and‑control.
Why It Matters for TPRM —
- The use of publicly available tunneling tools makes detection difficult for downstream vendors that rely on network‑traffic baselines.
- Credential‑grabber payloads can be repurposed to compromise SaaS accounts, exposing third‑party data stores.
- Ongoing activity against government and commercial entities in Russia/Belarus indicates a sustained supply‑chain risk for any organization that outsources services to providers in those regions.
Who Is Affected — Government agencies, critical infrastructure operators, and commercial enterprises (especially those with Russian or Belarusian supply‑chain links).
Recommended Actions
- Review any third‑party relationships that involve data processing or remote‑access services in the affected regions.
- Enforce strict LNK‑file handling policies; block execution of PowerShell scripts from external URLs.
- Deploy network‑level monitoring for anomalous SSH/ Tor traffic and enforce multi‑factor authentication for privileged accounts.
Technical Notes — Initial infection via phishing‑email ZIP → LNK shortcut → PowerShell loader (fixed.ps1). Loader drops payload, creates YandexBrowser_setup Run key, extracts decoy PDFs, and runs a credential‑stealing module. Post‑exploitation includes patched termsrv.dll for multi‑user RDP, reverse SSH tunneling via OpenSSH, RevSocks, and Tor. The campaign also re‑uses the legacy CVE‑2018‑0802 Office Equation Editor exploit for document‑based delivery. Source: SecureList – Cloud Atlas 2026