Skip to main content
Mallory
Back to threat actors
5 malware familiesExploits CVEs in the wild

CloudComputating

Also known ascloudcomputating

CloudComputating is a Chinese-speaking threat actor tracked by Kaspersky. Kaspersky assessed with medium to high confidence that this actor conducted 2020 activity targeting Middle Eastern and African governments, including at least one intrusion that followed exploitation of Microsoft Exchange CVE-2020-0688 and deployment of a ChinaChopper webshell to install Quarian and PlugX. Kaspersky also stated the actor had previously targeted high-profile Middle Eastern diplomatic entities. Earlier reporting tied CloudComputating to a fileless HiKit variant referred to as Hias. Based on the provided content, the actor is associated with government and diplomatic targeting and the use of Quarian, PlugX, ChinaChopper, and Hias/HiKit-related tooling. No additional aliases or sub-groups are directly supported by the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0003
Persistence
1 technique
T1505
Server Software Component
T1505.003
Web Shell
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ChinaChopperthe server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors.1Mar 18, 2026
Hias"...fileless version of the well-known ‘HiKit’ malware dubbed ‘Hias’."1Mar 18, 2026
Hikit"...a fileless version of the well-known ‘HiKit’ malware dubbed ‘Hias’."1Mar 18, 2026
PlugXAvira blogged about HoneyMyte PlugX variants... PlugX has been used by multiple APT groups over the past decade...1Mar 18, 2026
QuarianQuarian is a little-known malicious program... we noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2020-0688Microsoft Exchange Server static validation key RCEIn the wildEvidence1

In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.