VBShower
VBShower is a polymorphic VBS-based backdoor/validator associated with the Cloud Atlas (aka Inception) espionage group. It replaced PowerShower as a validator component in newer Cloud Atlas infection chains and functions as a primary launcher that can execute downloaded VBScript files regardless of size, enabling flexible delivery of follow-on payloads. Cloud Atlas has used phishing emails with malicious Microsoft Word documents that load remote templates; in later campaigns this chain led to an HTA file that extracted several VBS files comprising VBShower. Reporting also links related Cloud Atlas activity to exploitation of Microsoft Office Equation Editor vulnerability CVE-2018-0802.
VBShower communicates with command-and-control infrastructure over HTTP, sending host context data and attempting to retrieve VBS payloads periodically. Observed payloads included installers for other Cloud Atlas malware, notably PowerShower, VBCloud, and the CloudAtlas backdoor. In 2025 reporting, VBShower was described as downloading and installing PowerShower, VBCloud, and CloudAtlas. It has also been reported to collect process information and exfiltrate it to C2.
The malware includes anti-forensics and persistence features. It has attempted to delete files from Office-related Temporary Internet Files locations, specifically %APPDATA%..\Local\Temporary Internet Files\Content.Word and %APPDATA%..\Local Settings\Temporary Internet Files\Content.Word. It establishes persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run[a-f0-9A-F]{8} with a value invoking wscript in background mode to run a VBS file from %APPDATA%. Reported related file paths include %APPDATA%[A-Za-z]{5}.vbs.dat, %APPDATA%[A-Za-z]{5}.vbs, and %APPDATA%[A-Za-z]{5}.mds. Reported VBShower C2 IPs include 176.31.59.232 and 144.217.174.57.
Cloud Atlas campaigns using VBShower have targeted organizations in Eastern Europe and Central Asia, with specific reporting on Russia and Belarus, and sectors including telecommunications, construction, government, and industrial facilities. Additional reporting notes Russian organizations were targeted with VBShower in campaigns attributed to Cloud Atlas.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"When opened, the malicious document loads a remote template from C2 specified in one of the document's streams," cybersecurity company Solar said. "This template exploits the CVE-2018-0802 vulnerability. This is followed by downloading a malicious file with alternate streams, i.e., VBShower."
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A backdoor that we name VBShower which is polymorphic and replaces PowerShower as a validator;
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails... crafted with Office documents that use malicious remote templates – allowlisted per victims – hosted on remote servers."
Execution
2 techniquesThe content repeatedly describes threat actors and malware using VBScript, VBS, VBA macros, and Visual Basic code for execution, payload delivery, persistence, reconnaissance, and command execution.
“This template exploits the CVE-2018-0802 vulnerability.”
Persistence
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
5 techniquesMany examples describe post-intrusion cleanup, anti-forensics, and removal of artifacts such as logs, scripts, malware components, scheduled tasks, registry keys, and temporary files.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
"...a new infection chain, involving a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system."
“...the malicious document loads a remote template from C2 specified in one of the document's streams...”
“...downloading a malicious file with alternate streams, i.e., VBShower.”
Discovery
1 technique"A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain."
Command and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Examples in the content include: 'APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits,' 'During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads,' and multiple malware families using HTTP GET/POST to download additional payloads or files.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware delivered after a malicious Word document loads a remote template from C2 and exploits CVE-2018-0802; VBShower is downloaded using alternate data streams.
VBShower is a backdoor used by the Cloud Atlas threat actor, delivered via phishing documents. It downloads and installs other backdoors and can be used to exfiltrate files and gather information.
Primary launcher backdoor used by Cloud Atlas APT to execute downloaded VB scripts and deploy additional payloads. It communicates with command servers to retrieve and execute scripts for file exfiltration, system enumeration, and credential harvesting.
VBShower is a VBS-based backdoor used as an initial stage in the Cloud Atlas infection chain. It is responsible for downloading and installing additional backdoors (PowerShower, VBCloud, CloudAtlas), collecting system information, and facilitating persistence and further payload delivery.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.