VERY IMPORTANT

The article analyzes a phishing campaign by the Cloud Atlas APT group targeting Russian organizations. It details five successful attacks on the same system over time, using malicious Microsoft Office documents to deliver the VBShower backdoor. The attackers used alternate data streams to hide malicious code and maintained persistence through registry modifications. The analysis covers the evolution of the attack chain, including the use of VBCloud malware and various command and control servers. Despite prolonged access, no evidence of lateral movement was found. The report concludes that Cloud Atlas continues to be active, using consistent tactics and tools.