VBCloud
VBCloud is a custom Windows backdoor used by the Cloud Atlas APT group in espionage campaigns observed through 2025 and into early 2026. It is delivered in multi-stage phishing-led intrusion chains, including ZIP archives containing malicious LNK files that launch external PowerShell scripts, and in related Cloud Atlas activity involving malicious Office documents exploiting CVE-2018-0802. In the LNK-based chain, an initial PowerShell script establishes persistence, downloads a decoy PDF, removes infection traces, and executes fixed.ps1, which acts as a loader/dropper for VBCloud and PowerShower.
On infected systems, VBCloud is represented by two files: a launcher VBScript and an encrypted main body. Reported filenames include video.vbs and video.mds. The launcher decrypts the encrypted payload, typically using RC4 with a hardcoded key, and executes it in memory. VBCloud maintains encrypted communication with its command server through cloud-based infrastructure and can receive additional scripts or commands for execution.
Its primary documented role is file theft and exfiltration. VBCloud is described as a stealer/backdoor that searches for and exfiltrates files with targeted extensions including DOC, PDF, and XLS; related reporting also notes FileGrabber functionality targeting DOC, DOCX, XLS, XLSX, and PDF files, with filtering by size, date, and path. VBCloud can also download and execute additional malicious scripts, including file-grabber components.
VBCloud is associated with Cloud Atlas operations targeting primarily government agencies, diplomatic organizations, and other entities in Russia and Belarus; broader 2025 reporting also places Cloud Atlas targeting in telecommunications, construction, government, and industrial sectors in Eastern Europe and Central Asia. High-confidence related artifacts and behaviors in the same intrusion chains include %TEMP%\fixed.ps1 as the loader, persistence via a Run registry entry named YandexBrowser_setup, and deployment alongside the PowerShower reconnaissance backdoor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
... exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code ...
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
When a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server. That script sets up persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads including a backdoor called VBCloud and a reconnaissance tool called PowerShower.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques"PLAYFULGHOST Delivered via Phishing and SEO Poisoning"; "Victims get infected via phishing emails"; "phishing campaign" (multiple entries)
“Cloud Atlas... using phishing emails bearing malicious Word documents to distribute custom malware known as VBShower and VBCloud.”
Execution
3 techniquesWhen a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server. That script sets up persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads including a backdoor called VBCloud and a reconnaissance tool called PowerShower.
To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec.
"...malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code"
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 technique“...the malicious document loads a remote template from C2 specified in one of the document's streams...”
Collection
1 techniqueЭтот бэкдор работает как стилер, который ищет и эксфильтрует файлы с заданными расширениями (такими как DOC, PDF и XLS).
Command and Control
2 techniquesThis is the main module that connects to a C2 server to receive additional scripts or execute built-in commands.
When a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server.
Exfiltration
1 techniqueThis backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them.
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor deployed by Cloud Atlas after phishing-based initial access to maintain persistent access inside compromised networks.
Backdoor deployed by Fixed.ps1. Its launcher decrypts and executes the encrypted payload in memory, connects to a command server, receives additional scripts or executes built-in commands, and steals/exfiltrates files such as DOC, PDF, and XLS.
Custom malware family used by Cloud Atlas and distributed via phishing Word documents (remote template technique noted in the described chain).
Previously undocumented malware used by Cloud Atlas; delivered via phishing documents exploiting CVE-2018-0802.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.