3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Inception

Inception

ID: 25bfef169eafddf29120cd78d9d4a66d15927
Cybercrime State-Sponsored
Threat types: Espionage, Intrusion, Phishing
Unknown RUS, USA
Updated: 2026-01-26
Created: 2025-10-22
Progress: 61% Completeness: 57% Freshness: 70%
Operation zone: Russia, United States
Aliases Limited alias preview
Cloud Atlas Inception Framework
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Inception (a.k.a. Inception Framework / Cloud Atlas) — since 2014, a modular espionage actor using spearphishing attachments and template injection to deliver PowerShell/VB loaders, persisting via Run keys/regsvr32, stealing browser credentials and documents, and communicating over HTTP(S)/WebDAV and cloud services with multi-hop router proxying.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2014–2024 — Spearphishing attachments as primary initial-access vector. · ref
T1221 Template Injection TA0005
  • 2018 — Decoy documents load remote payloads via template injection over HTTP. · ref
T1203 Exploitation for Client Execution TA0002
  • 2014–2018 — Exploits include CVE-2012-0158, CVE-2017-11882, CVE-2018-0802 for client execution. · ref
T1059.001 PowerShell TA0002
  • 2018 — PowerShell used to execute payloads and commands. · ref
T1059.005 Visual Basic TA0002
  • 2018 — VBScript used for execution/persistence modules (VBShower). · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2018 — Persistence via Registry Run keys/Startup folder. · ref
T1218.010 Regsvr32 TA0005
  • 2018 — regsvr32 leveraged for execution/persistence of DLL components. · ref
T1555.003 Credentials from Web Browsers TA0006
  • 2018 — Browser-password theft plugin targeting IE/Chrome/Opera/Firefox/Torch/Yandex. · ref
T1102 Web Service TA0011
  • 2014–2024 — C2 over cloud web services (e.g., CloudMe) and WebDAV/HTTP(S). · ref
T1090.003 Multi-hop Proxy TA0011
  • 2018 — Multi-hop proxying using chains of compromised routers. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T23:38:05+00:00
Inception (a.k.a. Inception Framework / Cloud Atlas) — Modular Espionage with Multi-Hop Proxying

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Inception is a long-running espionage actor active since 2014 (and with lineage to Cloud Atlas in 2014–2015) that targets government and multiple industries—primarily in Russia, but with activity across Europe, Asia, Africa, the Middle East, and the U.S. Tooling is modular (PowerShower/VBShower, browser-credential plugins), relies on phishing with weaponized documents and template injection, and favors cloud and WebDAV/HTTP(S) for C2. A characteristic tradecraft element is multi-hop proxying through chains of compromised routers before reaching cloud services, complicating takedown and attribution. Capability: medium-high; OPSEC: mature. Confidence: high on TTPs/targeting.


Vendors label Inception/Cloud Atlas as an information-theft APT with regional focus shifting by campaign. No widely accepted public state attribution; activity is consistent with state-aligned intelligence collection. INFERENCE (medium).

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.