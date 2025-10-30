Cloud Atlas revives old exploits to hit Russian farms

The threat actor known as Cloud Atlas has been observed targeting Russia's agricultural sector using lures tied to an upcoming industry forum. The phishing campaign, detected this month, involves sending emails containing booby-trapped Microsoft Word documents that, when opened, trigger an exploit for CVE-2017-11882 in order to deliver a dropper that's responsible for launching the VBShower backdoor. It's worth noting that the hacking group weaponized the same flaw way back in 2023. Cloud Atlas is assessed to be a highly adaptable threat actor active since at least 2014, while also increasing its operational tempo in 2025, particularly against targets in Russia and Belarus. Earlier this January, Positive Technologies detailed Cloud Atlas' use of cloud services like Google Sheets as command-and-control (C2) for VBShower and another PowerShell-based backdoor named PowerShower. In recent months, Russian organizations have also been targeted by GOFFEE (aka Paper Werewolf) and PhantomCore, with the latter also dropping a new Go backdoor dubbed PhantomGoShell via phishing emails that shares some similarities with PhantomRAT and PhantomRShell. Some of the other tools in the threat actor's arsenal are PhantomTaskShell (a PowerShell backdoor), PhantomStealer (a Go-based stealer), and PhantomProxyLite (a tool that sets up an SSH tunnel between the host and the C2 server). The group is said to have managed to take control of 181 systems in the country during the course of the campaign between mid-May and late July 2025. Positive Technologies assessed that PhantomGoShell is the work of Russian-speaking members of gaming Discord communities who may have "received the backdoor source code and guidance from a member with a more established cybercriminal background" and that the group is a low-skilled offshoot of PhantomCore.