Cloudsorcerer

Threat Actor updated a day ago (2024-11-20T18:15:59.953Z)

Download STIX

Preview STIX

CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early July 2024. This sophisticated cyber espionage tool was used to download additional payloads onto infected computers, including tools used by APT31 and APT27 groups, and an updated version of the CloudSorcerer backdoor itself. The new version of this backdoor now uses profile pages on the Russian-language social network LiveJournal and the Q&A site Quora as the initial command and control (C2) servers. The CloudSorcerer backdoor was also found to be involved in downloading the GrewApacha Trojan and a previously unknown implant onto infected computers. In addition, the adversary used the C2 servers to download 'CloudSorcerer,' a newly modified version of the same. Analysis of decrypted .ini files revealed them to be updated versions of the CloudSorcerer backdoor. Furthermore, the PlugY implant, which overlaps with code from APT27, is delivered using the CloudSorcerer backdoor, launching a process named msiexec.exe for each user signed into the OS and creating named pipes with the name template \.\PIPE\Y. CloudSorcerer's activities pose a significant threat to Russian organizations, including government entities. It has shown adaptability and sophistication by modifying its backdoor in response to public exposure and leveraging it to deliver various forms of malware. This demonstrates the group's persistent threat to cybersecurity and highlights the need for continuous vigilance and proactive defense strategies against such evolving cyber threats.

Description last updated: 2024-11-15T16:03:34.867Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
PlugY is a possible alias for Cloudsorcerer. PlugY is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data host	3
APT31 is a possible alias for Cloudsorcerer. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Cloud Services

Apt

Windows

Kaspersky

Tool

Implant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cloudwizard Malware is associated with Cloudsorcerer. CloudWizard is a potent malware that has been implicated in advanced persistent threat (APT) campaigns, specifically those related to the Russo-Ukrainian conflict. It was first reported by Kaspersky in 2023 and is known for its features like taking screenshots, microphone recording, keylogging, amon	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT27 Threat Actor is associated with Cloudsorcerer. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the	Unspecified	2

Source Document References

Information about the Cloudsorcerer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	6 days ago	Crimeware and financial predictions for 2025
Securelist	a month ago	Kernel shellcode persistence technique in APT attacks and SAS CTF challenge
Securelist	a month ago	Cyberthreats in the Middle East H1 2024
Securityaffairs	3 months ago	Security Affairs newsletter Round 485 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	3 months ago	'EastWind' Cyber Spy Campaign Combines Various Chinese APT Tools
Securelist	3 months ago	EastWind campaign distributes CloudSorcerer and two APT tools
Securelist	3 months ago	Kaspersky report on APT trends in Q2 2024
Securityaffairs	3 months ago	EastWind campaign targets Russian organizations with sophisticated backdoors
Securelist	4 months ago	LianSpy: Android spyware leveraging Yandex Disk as C2
DARKReading	4 months ago	'CloudSorcerer' Leverages Cloud Services in Cyber-Espionage Campaign
InfoSecurity-magazine	4 months ago	New APT CloudSorcerer Malware Hits Russian Targets
Securelist	4 months ago	CloudSorcerer APT uses cloud services and GitHub as C2