Back to Intelligence

Lazarus Supply Chain & Cloud Atlas APT: OTX Pulse Analysis — Multi-Vector Malware Detection Pack

SA
Security Arsenal Team
June 23, 2026
6 min read

Recent OTX Pulse intelligence indicates a surge in sophisticated, multi-vector threat activity spanning state-sponsored operations and sector-specific cybercrime. The data highlights a resurgence of the Lazarus Group utilizing a supply chain compromise against the 3CXDesktopApp to distribute TxRLoader and ArcfeedLoader via trojanized installers. Simultaneously, the Cloud Atlas (Inception) APT group is actively targeting government entities in Russia and Belarus using novel tooling like PowerCloud and VBCloud, alongside commodity malware such as ValleyRAT and NetSupport RAT. Separately, an unidentified threat actor is aggressively targeting Thailand's healthcare sector with sim.py stealers delivered via obfuscated batch scripts within RAR archives. Collectively, these campaigns demonstrate a heavy reliance on signed binary abuse, archive-based initial access, and multi-stage loaders to establish persistent C2 channels.

Threat Actor / Malware Profile

Lazarus Group (3CX Campaign)

  • Malware: TxRLoader, ArcfeedLoader
  • Distribution: Trojanized signed installers of 3CXDesktopApp (Windows, macOS, Linux).
  • Attack Chain: Installation -> DLL Side-loading (compromised ffmpeg.dll) -> HTTPS Beaconing -> Second-stage payload deployment.
  • Objective: Long-term espionage within Finance and Energy sectors.

Cloud Atlas (Inception Framework)

  • Malware: PowerCloud, VBCloud, PowerShower, ReverseSocks, PhantomHeart, ValleyRAT, NetSupport RAT.
  • Distribution: Phishing emails containing malicious ZIP archives with LNK shortcuts.
  • Attack Chain: LNK execution -> PowerShell/Batch scripts -> Loader deployment (VBCloud) -> C2 Establishment & Data Exfiltration.
  • Objective: Intelligence gathering from Government and Commercial entities in Belarus and Russia. Exploits CVE-2018-0802 and 2025 CVEs for privilege escalation.

Unknown Actor (Thailand Healthcare)

  • Malware: sim.py (Python Stealer)
  • Distribution: Spear-phishing with RAR archives containing obfuscated batch scripts.
  • Attack Chain: RAR extraction -> Batch Script Execution (Rouki obfuscation) -> GitHub Payload retrieval -> Python Stealer execution.
  • Objective: Theft of sensitive healthcare data and credentials.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators requiring immediate attention:

  • Domains: Legitimate-sounding infrastructure used for C2 (e.g., akamaicontainer.com, azureonlinecloud.com, officeaddons.com) and payload hosting (github.com referenced in Thailand campaign). SOC teams should treat these with high suspicion despite benign appearances.
  • File Hashes: A significant volume of SHA256, MD5, and SHA1 hashes corresponding to trojanized installers, DLL loaders, and Python scripts. These are critical for EDR correlation and retrospective hunting.
  • CVEs: Cloud Atlas activity references specific exploits (CVE-2018-0802, CVE-2025-55182) which should be cross-referenced with vulnerability management dashboards.
  • Operationalization: Deploy domains to DNS firewall/blocklists. Upload file hashes to EDR detection lists and hunt for historical matches on endpoints within the last 30-60 days.

Detection Engineering

Sigma Rules

YAML
title: Potential Lazarus 3CX DesktopApp DLL Side-loading
id: 9e4c4f1a-1a1b-4c4d-9e5f-6a7b8c9d0e1f
description: Detects potential 3CXDesktopApp loading a suspicious ffmpeg.dll from a non-standard path, indicative of the Lazarus supply chain attack.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/3cxdesktopapp-intrusion/
tags:
    - attack.supply_chain
    - attack.t1195.002
    - detection.emerging_threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\3CXDesktopApp.exe'
        ImageLoaded|endswith: '\ffmpeg.dll'
    filter:
        Signed: 'true' # Legit ffmpeg is usually signed or specific path
    condition: selection and not filter
falsepositives:
    - Legitimate 3CX updates (verify signature status)
level: high
---
title: Suspicious Script Execution from Archive Files
id: b2f3c4d5-e6f7-4a5b-8c9d-0e1f2a3b4c5d
description: Detects execution of batch scripts or python directly following the extraction of RAR or ZIP archives, associated with Cloud Atlas and Thailand healthcare campaigns.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/thailand-healthcare-rar/
    - https://otx.alienvault.com/pulse/cloud-atlas-activity/
tags:
    - attack.initial_access
    - attack.t1566.001
    - detection.emerging_threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_archiver:
        ParentImage|contains:
            - '\WinRAR.exe'
            - '\7zFM.exe'
            - '\WinZip.exe'
    selection_script:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\python.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - '.bat'
            - '.vbs'
            - '.py'
    condition: all of selection_*
falsepositives:
    - Administrative software installation
level: medium
---
title: Cloud Atlas PowerCloud PowerShell C2 Beacon
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
description: Detects PowerShell process making network connections to non-standard ports or suspicious endpoints characteristic of Cloud Atlas PowerCloud tool.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/cloud-atlas-activity/
tags:
    - attack.command_and_control
    - attack.t1071.001
    - attack.credential_access
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        Initiated: 'true'
    filter_legit_microsoft:
        DestinationHostname|endswith:
            - '.microsoft.com'
            - '.windowsupdate.com'
            - '.office.com'
    condition: selection and not filter_legit_microsoft
falsepositives:
    - Legitimate admin scripts using web requests
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for 3CX related hashes and suspicious network connections
let IOCs = dynamic([
    "akamaicontainer.com", "azureonlinecloud.com", "officeaddons.com",
    "5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290",
    "92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61",
    "442e0f4e822842922e7e4685840194e99fd68c7f0ec38c1925914b8f724d5865"
]);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or SHA256 in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, SHA256
| union (
    DeviceProcessEvents
    | where SHA256 in (IOCs) or InitiatingProcessSHA256 in (IOCs)
    | project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell
# IOC Hunter for Lazarus 3CX and Cloud Atlas Malware
# Requires Administrative Privileges for full file system scan

$TargetHashes = @(
    "5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290",
    "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983",
    "92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61",
    "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868",
    "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb",
    "442e0f4e822842922e7e4685840194e99fd68c7f0ec38c1925914b8f724d5865",
    "4eebc38297a307d18784d6f9ebc8aa6e6f69860be970cc70d9e544deb1ff6ce0",
    "0320dd389fdbab25d46792bd2817675e"
)

$SearchPaths = @("C:\Program Files\3CX", "C:\Users\", "C:\ProgramData")

Write-Host "[+] Starting hunt for Lazarus/Cloud Atlas IOCs..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName) | Hash: $FileHash" -ForegroundColor Red
            }
        }
    }
}

# Check for C2 Domains in DNS Cache (Requires Admin)
$Domains = @("akamaicontainer.com", "azureonlinecloud.com", "officeaddons.com", "allgoodsdirect.com.au", "istochnik.org", "onedrivesupport.net")
Write-Host "[+] Checking DNS Cache for C2 Domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $Domains -contains $_.Entry } | ForEach-Object {
    Write-Host "[!] SUSPICIOUS DNS ENTRY: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
}

Response Priorities

  • Immediate: Block all listed domains and IP addresses at the perimeter and proxy. Push file hashes to EDR isolation lists. Isolate any endpoints with confirmed 3CX ffmpeg.dll hash matches or sim.py execution.
  • 24h: Conduct credential auditing for users who executed the 3CX installer or opened RAR archives in the healthcare sector context. Hunt for PowerShell beaconing activity matching the PowerCloud profile.
  • 1 Week: Review software supply chain security for 3CX updates. Patch systems against CVE-2018-0802 and assess vulnerability status for CVE-2025-55182. Implement strict application allowlisting for archive extraction tools (WinRAR/7-Zip) in high-risk sectors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarelazarus-groupcloud-atlassupply-chainaptremote-access-trojan

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action