Solar 4RAYS specialists discovered five successful infections on one system following a phishing attack.
In one investigation, Solar 4RAYS analyzed a phishing campaign by the APT group Cloud Atlas and discovered a rare pattern: the same work system was phishing five times, each time resulting in a successful infection. The investigation was prompted by an antivirus detection in March 2025 from a suspicious VBScript file in a Windows public folder, after which specialists retrieved the artifacts and reconstructed the chain of events.
Cloud Atlas has been known since at least 2014 and is associated with espionage operations against government agencies and organizations in various countries. According to researchers, a significant portion of the group's observed attacks target Russian government and private organizations, and its key tactics remain phishing: emails containing Microsoft Word documents that the user opens as "regular" work-related correspondence.
In the analyzed case, the infection began with a malicious Word document. Next, a Windows script interpreter was launched on the machine, and the malicious logic itself was hidden not in a separate executable file, but within the file system using NTFS alternate data streams. This technique allows code and work results to be stored in a way that makes nothing suspicious visible when viewing the file in File Explorer. This "concealment" and the repetitive nature of the script became the key hallmarks of Cloud Atlas's signature in this investigation.
Some of the original attachments were lost in the system, but researchers found traces of their downloads and access to control domains in Windows and Microsoft Office artifacts. The report mentions several C2 addresses used in different episodes, as well as the fact that the last attempt to further develop the attack was thwarted early on: the antivirus software detected one of the scripts intended to launch the next payload in time.
The researchers' conclusion is quite straightforward: in 2025, the Cloud Atlas chain has remained virtually unchanged, with phishing still the primary entry point, and ADS a method for hiding activity on disk. Therefore, protection here relies not on a "magic" signature, but on discipline: training employees to recognize phishing, limiting script execution, EDR on workstations, and event monitoring that helps spot recurring signs of compromise before an attack takes hold.
In one investigation, Solar 4RAYS analyzed a phishing campaign by the APT group Cloud Atlas and discovered a rare pattern: the same work system was phishing five times, each time resulting in a successful infection. The investigation was prompted by an antivirus detection in March 2025 from a suspicious VBScript file in a Windows public folder, after which specialists retrieved the artifacts and reconstructed the chain of events.
Cloud Atlas has been known since at least 2014 and is associated with espionage operations against government agencies and organizations in various countries. According to researchers, a significant portion of the group's observed attacks target Russian government and private organizations, and its key tactics remain phishing: emails containing Microsoft Word documents that the user opens as "regular" work-related correspondence.
In the analyzed case, the infection began with a malicious Word document. Next, a Windows script interpreter was launched on the machine, and the malicious logic itself was hidden not in a separate executable file, but within the file system using NTFS alternate data streams. This technique allows code and work results to be stored in a way that makes nothing suspicious visible when viewing the file in File Explorer. This "concealment" and the repetitive nature of the script became the key hallmarks of Cloud Atlas's signature in this investigation.
Some of the original attachments were lost in the system, but researchers found traces of their downloads and access to control domains in Windows and Microsoft Office artifacts. The report mentions several C2 addresses used in different episodes, as well as the fact that the last attempt to further develop the attack was thwarted early on: the antivirus software detected one of the scripts intended to launch the next payload in time.
The researchers' conclusion is quite straightforward: in 2025, the Cloud Atlas chain has remained virtually unchanged, with phishing still the primary entry point, and ADS a method for hiding activity on disk. Therefore, protection here relies not on a "magic" signature, but on discipline: training employees to recognize phishing, limiting script execution, EDR on workstations, and event monitoring that helps spot recurring signs of compromise before an attack takes hold.
