Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas (an established APT) conducted targeted phishing campaigns against government and diplomatic organizations in Russia and Belarus using ZIP-attached LNK shortcuts that launch PowerShell loaders (fixed.ps1) to install VBCloud (file-stealing backdoor) and PowerShower (recon/lateral movement). The adversary employed multiple persistence and backup control channels — reverse SSH tunnels, RevSocks, and Tor hidden services — patched OpenSSH variants, and even modified termsrv.dll to enable multi-user RDP; the report includes detailed playbooks, credential-stealing techniques (Volume Shadow Copy + SAM/SECURITY extraction, UAC bypass), extensive file paths, hashes, domains and IP IoCs.