MalwareUsed by 1 actorExploits 2 CVEs

PowerShower

PowerShower is a PowerShell-based backdoor used by the Cloud Atlas espionage group. It is described as a second-stage backdoor distinct from VBCloud: whereas VBCloud focuses on file theft, PowerShower is primarily used for network reconnaissance, lateral movement, and further infiltration inside victim infrastructure. Reported capabilities include identifying the current user; collecting information on running processes, administrator groups, and domain controllers; probing the local network; downloading and executing PowerShell scripts from command-and-control; saving and executing VBScript; conducting Kerberoasting attacks; and using Inveigh for machine-in-the-middle activity and credential or hash collection. PowerShower also encoded C2 communications with Base64.

Observed infection chains show Cloud Atlas delivering PowerShower through phishing campaigns. In 2024 reporting, malicious documents exploiting CVE-2018-0802 in Microsoft Equation Editor, and previously CVE-2017-11882 combined with CVE-2018-0802, led to VBShower/VBCloud and PowerShower deployment. In later activity observed in 2025-2026, phishing emails with ZIP archives containing malicious LNK files launched external PowerShell scripts that established persistence, downloaded a decoy PDF, removed traces, and deployed VBCloud and PowerShower. PowerShower was noted as being persisted at C:\Users[username]\Pictures\googleearth.ps1 in one campaign.

PowerShower has also been associated with document theft and exfiltration. It used a PowerShell document stealer module to collect .txt, .pdf, .xls, and .doc files smaller than 5 MB that were modified during the previous two days, compressed files with 7Zip, and exfiltrated them over its existing C2 channel. Additional stealth and persistence behaviors include adding a registry key so future powershell.exe instances spawn off-screen by default, removing registry entries left by the dropper process, and deleting files created during the dropper process.

Victimology tied to the broader Cloud Atlas operations includes government agencies, diplomatic organizations, and other targets primarily in Russia and Belarus, with earlier reporting also noting victims concentrated in Russia and isolated cases in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Vietnam, and Turkey.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2018-0802Microsoft Office Equation Editor Memory Corruption RCEExploited in the wild

Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code.

via securelistsecurelist.com

CVE-2017-11882Microsoft Office Equation Editor Remote Code ExecutionExploited in the wild

Previously, Cloud Atlas dropped its “validator” implant named “PowerShower” directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802.

via securelistsecurelist.com

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Inception

PowerShower probes the local network and facilitates further infiltration, while VBCloud collects information about the system and steals files.

via securelistsecurelist.com

MITRE ATT&CK

Techniques & procedures

26 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code.

Execution

1 technique

T1059.001PowerShellEvidence4

PowerShower downloads additional PowerShell scripts from the C2 and executes these.

Persistence

2 techniques

T1112Modify RegistryEvidence2

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

T1547.001Registry Run Keys / Startup FolderEvidence5

After the download is complete, the malware adds a registry key to auto-run the VBShower Launcher script. "Software\Microsoft\Windows\\CurrentVersion\Run"

Privilege Escalation

2 techniques

T1547.001Registry Run Keys / Startup FolderEvidence5

After the download is complete, the malware adds a registry key to auto-run the VBShower Launcher script. "Software\Microsoft\Windows\\CurrentVersion\Run"

T1548.002Bypass User Account ControlEvidence1

Для получения повышенных привилегий скрипт использует технику обхода UAC через fodhelper.exe ... позволяет запустить PowerShell с правами администратора без прямого запроса пользователю.

Stealth

3 techniques

T1070Indicator RemovalEvidence3

Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'

T1070.004File DeletionEvidence3

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

T1564.003Hidden WindowEvidence1

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows. APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. APT28 has used the WindowStyle parameter to conceal PowerShell windows.

Defense Impairment

1 technique

T1112Modify RegistryEvidence2

Credential Access

4 techniques

T1003OS Credential DumpingEvidence1

PowerShower загружает дополнительный скрипт для кражи учетных данных ... копирует системные файлы SAM ... и SECURITY из теневой копии

T1110.001Password GuessingEvidence1

Script for dictionary attacks on user accounts.

T1557Adversary-in-the-MiddleEvidence1

We also observed the use of PowerShell Inveigh, a machine-in-the-middle attack utility used in penetration testing. Inveigh is used for data packet spoofing attacks, and collecting hashes and credentials both by intercepting packets and by using protocol-specific sockets.

T1558.003KerberoastingEvidence2

The keb.ps1 script belongs to the popular PowerSploit framework for penetration testing and kicks off a Kerberoasting attack.

Discovery

9 techniques

T1016System Network Configuration DiscoveryEvidence2

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

T1018Remote System DiscoveryEvidence2

PowerShower probes the local network and facilitates further infiltration.

T1033System Owner/User DiscoveryEvidence2

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

T1046Network Service DiscoveryEvidence1

PowerShower probes the local network and facilitates further infiltration.

T1057Process DiscoveryEvidence2

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

T1082System Information DiscoveryEvidence1

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

T1083File and Directory DiscoveryEvidence1

Gets information about the file names and sizes in the following folders: %AppData%; %AllUsersProfile%; ...

T1087Account DiscoveryEvidence1

The script gets a list of local groups and their members on remote computers via Active Directory Service Interfaces (ADSI).

T1482Domain Trust DiscoveryEvidence2

This script gets a list of domain controllers.

Collection

2 techniques

T1119Automated CollectionEvidence1

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP... Tomiris can upload files matching a hardcoded set of extensions... PowerShower packed and exfiltrated .txt, .pdf, .xls or .doc files smaller than 5MB modified during the past two days.

T1557Adversary-in-the-MiddleEvidence1

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence3

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

T1105Ingress Tool TransferEvidence3

Previously, Cloud Atlas employed PowerShower to download and run an executable file: a DLL library. This DLL would then fetch additional executable modules (plug-ins) from the C2 server and execute these in memory.

T1132Data EncodingEvidence2

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence2

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

INDICATORS OF COMPROMISE

IOCs tracked for this family

37 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

33 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

4 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 month ago

ip.v4●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

33 SOURCESView more in app

cyber security newsNews

May 25, 2026

Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts

A reconnaissance tool used by Cloud Atlas during post-compromise activity, delivered alongside VBCloud.

securelist ruNews

May 22, 2026

Группа Cloud Atlas обзавелась новыми инструментами | Securelist

Backdoor focused on network reconnaissance and lateral movement. It can collect information on running processes, administrator groups, and domain controllers, download and execute PowerShell scripts from C2, perform Kerberoasting, and load an additional credential-theft script that copies SAM and SECURITY hives using a shadow copy and uses fodhelper.exe for UAC bypass.

the hacker newsNews

Dec 29, 2025

⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More

PowerShower is a backdoor used as a secondary payload by Cloud Atlas, capable of retrieving and executing additional payloads from a remote server.

securelistNews

Dec 19, 2025

Cloud Atlas activity in the first half of 2025: what changed

PowerShower is a PowerShell-based backdoor that executes additional payloads retrieved from its C2 server, exfiltrates data, and can grab files from network shares. It is installed and launched by VBShower.

+29 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching37

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping26

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.