Cloudsorcerer

Threat Actor updated 25 days ago (2024-08-13T16:17:54.134Z)

Download STIX

Preview STIX

CloudSorcerer is a newly identified threat actor discovered by Kaspersky, which targets Russian government entities using cloud services for command and control (C2) infrastructure. Similar to the previously reported CloudWizard Advanced Persistent Threat (APT), CloudSorcerer leverages public cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for its C2 operations, demonstrating a sophisticated approach to cyber espionage. The actor also uses GitHub as its initial C2 server, indicating a well-planned strategy for initiating its malicious activities. The CloudSorcerer malware is an advanced cyber-espionage tool used for stealth monitoring, data collection, and exfiltration via the aforementioned cloud infrastructures. Attackers deploy a previously undetected malware named PlugY through the CloudSorcerer backdoor. Additionally, this threat actor has exhibited dynamic adaptability based on process context, further complicating cybersecurity efforts. A new variant of the CloudSorcerer backdoor, utilized in the EastWind campaign, employs a utility called GetKey.exe, packed with the VMProtect protector, to encrypt the malicious payload that can only be decrypted on the victim's computer. Since its initial discovery in July 2024, CloudSorcerer has been updated and now uses profiles on LiveJournal blog and Quora as its initial command servers. The malware receives commands via Dropbox, leading to the installation of additional Trojans, including tools from the APT31 cyber espionage group and an updated version of the CloudSorcerer backdoor named GrewApacha. This continued evolution and adoption of novel tactics underscores the persistent and escalating threat posed by CloudSorcerer.

Description last updated: 2024-08-13T15:18:48.839Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Cloud Services

Apt

Implant

Windows

Kaspersky

Tool

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
PlugY	Unspecified	3	PlugY is a newly identified malware that has been deployed by cyber attackers to infiltrate systems and cause significant damage. This malicious software, known for its capacity to exploit and harm computer systems, can enter a system through suspicious downloads, emails, or websites, often unbeknow
Cloudwizard	Unspecified	3	CloudWizard is a malicious software (malware) that has been used in advanced persistent threat (APT) campaigns. First reported by Kaspersky in 2023, it has been linked to cyber warfare activities in the Russo-Ukrainian conflict area. The malware operates by infiltrating systems and performing harmfu

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
APT31	Unspecified	2	APT31, also known as Zirconium, is a threat actor group linked to the Chinese government that has been implicated in numerous cyber espionage activities. One of their most notable exploits was the cloning of the Equation Group's exploit, EpMe (CVE-2017-0005). This exploit was initially discovered du

Source Document References

Information about the Cloudsorcerer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	21 days ago	Security Affairs newsletter Round 485 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	24 days ago	'EastWind' Cyber Spy Campaign Combines Various Chinese APT Tools
Securelist	24 days ago	EastWind campaign distributes CloudSorcerer and two APT tools
Securelist	25 days ago	Kaspersky report on APT trends in Q2 2024
Securityaffairs	a month ago	EastWind campaign targets Russian organizations with sophisticated backdoors
Securelist	a month ago	LianSpy: Android spyware leveraging Yandex Disk as C2
DARKReading	2 months ago	'CloudSorcerer' Leverages Cloud Services in Cyber-Espionage Campaign
InfoSecurity-magazine	2 months ago	New APT CloudSorcerer Malware Hits Russian Targets
Securelist	2 months ago	CloudSorcerer APT uses cloud services and GitHub as C2