Cloud Atlas hackers target Russian agriculture sector ahead of industry forum

A Russia-based cybersecurity firm has uncovered another cyber-espionage campaign by the state-backed threat actor Cloud Atlas, which targeted the country’s agricultural sector using lures tied to an upcoming industry forum. 

The attack, which is the second time the group has hit Russia’s agro industrial firms in recent months, coincided with preparations for the Russian agriculture forum scheduled for the end of the month in Moscow. According to researchers at F6, the hackers sent phishing emails disguised as the event’s official program, containing a malicious file that exploited an old Microsoft Office flaw — CVE-2017-11882, a vulnerability patched in 2017 but still widely abused by cybercriminals.

The same flaw was exploited back in 2023, when Cloud Atlas targeted a Russian agro-industrial enterprise and a state-owned research company with phishing emails related to Russia’s war in Ukraine.

The exploit allows attackers to execute malicious code and potentially take full control of the system, giving them the ability to install software, alter or delete data and create new user accounts.

Researchers noted that Cloud Atlas — also tracked as Inception — has shown increased activity throughout 2025, particularly against Russian and Belarusian targets. F6 also found indications that a defense enterprise was among the group’s October targets, though they did not provide technical details.

According to the report, Cloud Atlas continues to refine its tools and delivery methods, experimenting with different payloads while maintaining long-used infection chains.

“Cloud Atlas’s continued use of the same tactics and exploitation of long-known vulnerabilities suggests its attacks remain effective — largely due to unprotected or poorly maintained systems and the human factor,” researchers said.

Cloud Atlas — active since at least 2014 — is a state-sponsored espionage group known for attacks on organizations in Russia, Belarus, Azerbaijan, Turkey and Slovenia. Its operations focus on data theft and surveillance, though the exact country behind it remains unclear.

The hackers typically rely on multi-stage phishing campaigns, sending emails that mimic government correspondence, business offers or media materials. Their malware often employs custom-built loaders and encrypted communications to remain undetected and exfiltrate stolen data.

“These factors make Cloud Atlas a highly capable and persistent threat to organizational cybersecurity,” researchers added.