Cloudsorcerer

Threat Actor updated 23 days ago (2024-11-29T13:57:15.222Z)
Download STIX
Preview STIX
CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early July 2024. This sophisticated cyber espionage tool was used to download additional payloads onto infected computers, including tools used by APT31 and APT27 groups, and an updated version of the CloudSorcerer backdoor itself. The new version of this backdoor now uses profile pages on the Russian-language social network LiveJournal and the Q&A site Quora as the initial command and control (C2) servers. The CloudSorcerer backdoor was also found to be involved in downloading the GrewApacha Trojan and a previously unknown implant onto infected computers. In addition, the adversary used the C2 servers to download 'CloudSorcerer,' a newly modified version of the same. Analysis of decrypted .ini files revealed them to be updated versions of the CloudSorcerer backdoor. Furthermore, the PlugY implant, which overlaps with code from APT27, is delivered using the CloudSorcerer backdoor, launching a process named msiexec.exe for each user signed into the OS and creating named pipes with the name template \.\PIPE\Y. CloudSorcerer's activities pose a significant threat to Russian organizations, including government entities. It has shown adaptability and sophistication by modifying its backdoor in response to public exposure and leveraging it to deliver various forms of malware. This demonstrates the group's persistent threat to cybersecurity and highlights the need for continuous vigilance and proactive defense strategies against such evolving cyber threats.
Description last updated: 2024-11-15T16:03:34.867Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PlugY is a possible alias for Cloudsorcerer. PlugY is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data host
3
APT31 is a possible alias for Cloudsorcerer. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Cloud Services
Apt
Windows
Kaspersky
Tool
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cloudwizard Malware is associated with Cloudsorcerer. CloudWizard is a potent malware that has been implicated in advanced persistent threat (APT) campaigns, specifically those related to the Russo-Ukrainian conflict. It was first reported by Kaspersky in 2023 and is known for its features like taking screenshots, microphone recording, keylogging, amonUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT27 Threat Actor is associated with Cloudsorcerer. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the Unspecified
2
Source Document References
Information about the Cloudsorcerer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more