🇷🇺

Inception

APT Group Information theft and espionage 5 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 54

Countries highlighted in red

United Arab Emirates Afghanistan Armenia Austria Azerbaijan Belgium Bulgaria Brazil Belarus Democratic Republic of the Congo Congo Switzerland China Cyprus Czech Republic Germany France United Kingdom Georgia Greece Indonesia India Islamic Republic of Iran Italy Jordan Kenya Kyrgyzstan Kazakhstan Lebanon Lithuania Morocco Republic of Moldova Malaysia Mozambique Oman Panama Pakistan Portugal Paraguay Qatar Romania Russian Federation Saudi Arabia Slovenia Suriname Tajikistan Turkmenistan Turkey Ukraine Uganda United States Uzbekistan Vietnam South Africa

Sectors Targeted

Financial Other Services (except Public Administration) 81 Energy NAICS:48 48 Information 51 Commercial Banking 52211 Professional, Scientific, and Technical Services 54 Public Administration 92 National Security and International Affairs 9281 Computer Systems Design and Related Services 54151 National Security and International Affairs 928 Construction 23 Software Publishers 5112 Embassies Cryptocurrency Private sector NAICS:31 31 Utilities 22 Finance and Insurance 52 Aerospace Mining, Quarrying, and Oil and Gas Extraction 21 Oil and Gas Extraction 211 Computer Systems Design Services 541512 Telecommunications 517 Internet Publishing and Broadcasting and Web Search Portals 51913 Oil and gas Research Engineering Defense Computer Systems Design and Related Services 5415 Rail Transportation 482 Air Transportation 481 Other Information Services 519 Crypto Space Research and Technology 927 Agriculture, Forestry, Fishing and Hunting 11 Government

Details

Origin 🇷🇺 RU

Last Updated 06 Jan 2026

Malware Families 4

METASPLOIT

netsupportmanager_rat

SparkKitty

SparkCat

MITRE ATT&CK 83

T1001 - Data Obfuscation T1003.001 - LSASS Memory T1005 T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1027.013 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.004 - Masquerade Task or Service T1036.005 - Match Legitimate Name or Location T1041 - Exfiltration Over C2 Channel T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1069 T1069.002 T1070 - Indicator Removal on Host T1070.004 - File Deletion T1071 T1071.001 - Web Protocols T1082 - System Information Discovery T1083 - File and Directory Discovery T1090 - Proxy T1090.003 T1102 - Web Service T1102.002 - Bidirectional Communication T1105 - Ingress Tool Transfer T1112 - Modify Registry T1132.001 - Standard Encoding T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1157 - Dylib Hijacking T1195 - Supply Chain Compromise T1199 - Trusted Relationship T1203 T1204 - User Execution T1204.002 - Malicious File T1218 - Signed Binary Proxy Execution T1218.005 T1218.010 T1221 T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1518 T1518.001 - Security Software Discovery T1526 - Cloud Service Discovery T1543.003 - Windows Service T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1552.001 - Credentials In Files T1553.002 - Code Signing T1553.005 - Mark-of-the-Web Bypass T1555 T1555.003 - Credentials from Web Browsers T1560 - Archive Collected Data T1565.001 - Stored Data Manipulation T1566 - Phishing T1566.001 - Spearphishing Attachment T1569 - System Services T1573 T1573.001 - Symmetric Cryptography T1574 - Hijack Execution Flow T1584 - Compromise Infrastructure T1584.001 - Domains T1586 - Compromise Accounts T1586.002 - Email Accounts T1587 - Develop Capabilities T1587.001 - Malware T1588 - Obtain Capabilities T1588.001 - Malware T1588.002 T1589 - Gather Victim Identity Information T1589.002 - Email Addresses

Related Zero-Days 5

CVE-2018-0802 CVE-2024-1086 CVE-2024-39717 CVE-2025-55182 CVE-2025-61882

Known Names 8 entries

Inception Framework Symantec

Cloud Atlas Kaspersky

Oxygen Microsoft

ATK 116 Thales

Blue Odin PWC

The Rocra ?

Clean Ursa Palo Alto

G0100 MITRE

Observed Target Countries 50

Based on ETDA data — countries highlighted in red

Afghanistan Armenia Austria Azerbaijan Belarus Belgium Brazil Congo Cyprus France Georgia Germany Greece India Indonesia Iran Italy Jordan Kazakhstan Kenya Kyrgyzstan Lebanon Lithuania Malaysia Moldova Morocco Mozambique Oman Pakistan Paraguay Portugal Qatar Romania Russia Saudi Arabia Slovenia South Africa Suriname Switzerland Tajikistan Tanzania Turkey Turkmenistan Uganda Ukraine UAE USA Uzbekistan Venezuela Vietnam

Description

(Symantec) Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers. Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the 2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious. Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents. • Initially targeted at Russia, but expanding globally • Masterful identity cloaking and diversionary tactics • Clean and elegant code suggesting strong backing and top-tier talent • Includes malware targeting mobile devices: Android, Blackberry and iOS • Using a free cloud hosting service based in Sweden for command and control

Tools Used 5

Inception Lastacloud PowerShower VBShower many 0-day exploits

Operations 8

2012-10 Operation “RedOctober” In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”). https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8

2014-05 Hiding Behind Proxies Since 2014, Symantec has found evidence of a steady stream of attacks from the Inception Framework targeted at organizations on several continents. As time has gone by, the group has become ever more secretive, hiding behind an increasingly complex framework of proxies and cloud services. https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies

2014-08 Operation “Cloud Atlas” In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world. https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

2018-10 This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to detail in terms of cleaning up after itself, along with the malware being written in PowerShell. https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/

2019 During its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system. https://securelist.com/recent-cloud-atlas-activity/92016/

2022-02 Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/

2023-12 Cyber-espionage group Cloud Atlas targets Russian companies with war-related phishing attacks https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing

2024 Cloud Atlas seen using a new tool in its attacks https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/

Reports & References 2

https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf

ETDA Profile

Inception Framework, Cloud Atlas

Origin

Russia

First Seen 2012

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0100/

View on ETDA APT Groups ↗