CloudSorcerer

CloudSorcerer is a backdoor used in cyber-espionage activity and notably observed in attacks against Russian entities, including Russian government entities, in 2024. Reporting also links its use to the China-nexus threat activity cluster UAT-8302, which Cisco Talos said targeted government agencies in South America since late 2024 and southeastern Europe in 2025, and to APT31 activity targeting Russia’s IT sector. CloudSorcerer is characterized by its use of legitimate cloud services for command-and-control, including OneDrive, Dropbox, and Yandex Cloud; additional reporting states CloudSorcerer v3 can obtain C2 information from GitHub repositories and GameSpot profiles. In Talos reporting, CloudSorcerer version 3 collects system details when injected into dnapimg.exe and then pivots into explorer.exe for named-pipe command handling, while in spoolsv.exe it can contact a GitHub repository for command retrieval. The malware is associated with long-term access and data theft operations against government and related entities. Infection and deployment context mentioned in the source material includes DLL side-loading and broader post-compromise deployment alongside other implants such as NetDraft and VSHELL. High-confidence infrastructure details specific to the broader UAT-8302 activity include command-and-control domains such as update-kaspersky[.]workers[.]dev and related campaign infrastructure including msiidentity[.]com, drivelivelime[.]com, trafficmanagerupdate[.]com, and IP address 85[.]209[.]156[.]3, though the content does not attribute all of these exclusively to CloudSorcerer.