VBCloud
VBCloud is a Windows backdoor and stealer used by the Cloud Atlas espionage group. It has been described as previously undocumented and is deployed in multi-stage phishing-driven intrusion chains, including campaigns using malicious Office documents exploiting CVE-2018-0802 and later campaigns using ZIP archives containing malicious LNK files that launch PowerShell. In observed infections, loader scripts such as fixed.ps1 deliver VBCloud alongside PowerShower, while earlier Cloud Atlas chains used VBShower to install it.
On infected systems, VBCloud is represented by a launcher VBS script and an encrypted main payload, including examples such as video.vbs plus video.mds, or a VBCloud::Launcher and VBCloud::Backdoor pair. The launcher decrypts the encrypted body, typically with RC4 using a hardcoded key, and executes it in memory. VBCloud can establish persistence via scheduled tasks or Run registry entries, and has been observed installed under ProgramData paths themed to legitimate software such as avp, Adobe, Edge, and Chrome directories.
Functionally, VBCloud acts as a backdoor that communicates with attacker infrastructure, receives scripts or commands, and can download and execute additional malicious scripts. A notable characteristic is its use of cloud-based infrastructure and WebDAV rather than only traditional command-and-control servers. Reported behavior includes checking availability of kim.nl.tab.digital and falling back to webdav.mydrive.ch, creating beacon files containing the username and MAC addresses of network adapters, downloading tasking files from cloud directories, deleting those tasking files after retrieval, decrypting them, and executing them in the current process. It maintains encrypted communication with the command server through cloud-based infrastructure.
VBCloud is also used for reconnaissance and data theft. Reported collection includes system and disk information, host and user information, and other system data. As a stealer, it targets files of interest for exfiltration, including extensions such as DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and specifically recent documents. It has also been reported to steal Telegram-related files including D877F783D5D3EF8Cs and key_datas. Exfiltrated data may be packaged into RC4-encrypted ZIP archives and renamed with benign-looking multimedia extensions such as MP3, WAV, OGG, WMA, or MP4.
VBCloud has been associated with Cloud Atlas operations targeting organizations in Eastern Europe and Central Asia, with reporting highlighting victims in Russia and Belarus and sectors including government, diplomatic, telecommunications, construction, and industrial organizations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Besides, they are now using a new module in their attacks: VBCloud. This collects and uploads system information and other data.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
In the case of VBCloud, the script changes the extension of the unpacked file from TXT to VBS and creates a scheduler task to run VBCloud.
PowerShower downloads additional PowerShell scripts from the C2 and executes these.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
Discovery
3 techniques
Discovery
Collection
2 techniques
Collection
Command and Control
2 techniques
Command and Control
IOCs tracked for this family
38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor deployed by Cloud Atlas after phishing-based initial access to maintain persistent access inside compromised networks.
Backdoor deployed by Fixed.ps1. Its launcher decrypts and executes the encrypted payload in memory, connects to a command server, receives additional scripts or executes built-in commands, and steals/exfiltrates files such as DOC, PDF, and XLS.
Custom malware family used by Cloud Atlas and distributed via phishing Word documents (remote template technique noted in the described chain).
Previously undocumented malware used by Cloud Atlas; delivered via phishing documents exploiting CVE-2018-0802.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.