In May 2024, we discovered a new advanced persistent threat (APT) targeting Russian government entities that we dubbed CloudSorcerer. It's a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server. CloudSorcerer's modus operandi is reminiscent of the CloudWizard APT that we reported on in 2023. However, the malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar method of interacting with public cloud services. Our findings in a nutshell: CloudSorcerer APT uses public cloud services as its main C2s The malware interacts with the C2 using special commands and decodes them using a hardcoded charcode table. The actor uses Microsoft COM object interfaces to perform malicious operations. CloudSorcerer acts as separate modules (communication module, data collection module) depending on which process it's running, but executes from a single executable. Technical details Initial start up MD5 | f701fc79578a12513c369d4e36c57224 —|— SHA1 | f1a93d185d7cd060e63d16c50e51f4921dd43723 SHA256 | e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de Link time | N/A Compiler | N/A File type | Windows x64 executable…Read More