Cloud Atlas has been found to be using a previously undocumented toolset in which the group heavily used in 2024.The group targets Eastern Europe and Central Asia mostly.Victims get infected through phishing emails with a malicious document.The HTA files in the document exploit vulnerabilities in formula editors to download and execute malware code.After the download is complete, the malware adds a registry key to run an auto script 'VBShower Launcher'.VBCloud, a new tool, is being used to steal data from the infected system.VBCloud module duplicates the core functionality of VBShower and uses public cloud storage as C2 server.The group uses PowerShell scripts to perform a range of tasks on the infected system.Phishing emails continue to play an important role as an initial access point.Cloud Atlas has been observed to attack victims in Russia, Belarus, Canada, Moldova, Israel, Kyrgyzstan, Vietnam, and Turkey.