Type: Believed Nation State

Status: Active

Other Names:  Mimics Red October; believed either false flag or evolution

Active Since/Discovered: 2014/ August 2014

Targets: Russia, Kazakhstan, Belarus, India, The Czech Republic

Target Sectors: Diplomatic organizations/embassies and Government entities


    • Cloud Atlas/ Trojan.Win32.CloudAtlas.gen
      • Uncommon file names
      • the Microsoft Office exploit didn’t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it
      • Uniquely named Payloads:
        • steinheimman
        • papersaving
        • previliges
        • fundamentive
        • bicorporate
        • miditiming
        • damnatorily
        • munnopsis
        • arzner
        • redtailed
        • roodgoose
        • acholias
        • salefians
        • wartworts
        • frequencyuse
        • nonmagyar
        • shebir
        • getgoing
      • All samples communicate via HTTPS and WebDav with the same server “”, a cloud services provider
        • Each sample communicates with a different account which is downloaded by the implant, decrypted and interpreted
        • the malware uploads the replies back to the server via the same mechanism
      • data is compressed with LZMA and encrypted with AES
        • Key is stored in body of malware

Preferred Attack Vector:  Social Engineering and Exploits


  • CVE-2012-0158
  • Spear-phishing lures focusing on car sales are similar to Red October
  • Targeted Windows, Android, iOS, Linux
  • Cyberespionage and Data Theft
  • Microsoft Office exploit writes an encrypted Visual Basic Script and runs it instead of writing a Windows PE backdoor to disk


  • May be Rebirth of Red October campaign
    • some shared victims
    • Similar malware implant construction
  • All malware samples communicate with accounts from a cloud service provider as C2
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google