Cloud Atlas activity in the first half of 2025: what changed

This report analyzes Cloud Atlas APT operations in the first half of 2025: actors use phishing documents that exploit CVE-2018-0802 to fetch an HTA and execute a multi-stage chain (VBShower → VBCloud/PowerShower/CloudAtlas). The document describes each implant’s installation and capabilities (remote command execution, file and credential exfiltration, plugin architecture), cloud-based WebDAV command-and-control, targeted sectors in Russia and Belarus, and provides detailed IoCs (hashes, domains, file paths) for detection and response.