>samit_hota
Back to adversary profiles
G0100HighActive

Inception (G0100): A Persistent and Stealthy Cyber Espionage Threat

Samit Hota·
Suspected Origin
Russia (suspected)
Motivation
Espionage, Information Theft, Intelligence Collection
Aliases
Inception Framework, Cloud Atlas
Target Sectors
Government, Diplomatic, Energy, Financial, Aerospace, Defense, Engineering, Research, Military-Industrial Complex, Critical Infrastructure, Transportation
Associated Malware
PowerShower, VBShower, PowerModul, PowerTaskel, RtcpProxy, Lastacloud (Android, iOS, BlackBerry), LaZagne, MeshCentral Agent, SystemBC, PowerCloud
#threat-actor#g0100

Overview

Inception, also tracked as Cloud Atlas and Inception Framework (MITRE ATT&CK ID: G0100), is a highly persistent and stealth-focused cyber espionage group that has been active since at least 2014. Initially, the group’s operations primarily targeted Russian interests, but their activities have since expanded globally, impacting entities across Europe, Asia, Africa, the Middle East, and the United States. Multiple intelligence community assessments suggest Inception is Russian-speaking and aligns with the strategic intelligence collection interests of a nation-state, though definitive attribution remains a subject of debate.

The group’s primary motivation is long-term intelligence collection and the theft of confidential information. They are known for consistently maintaining high operational security (OPSEC) and demonstrating a remarkable ability to adapt rapidly to evolving technologies and tools. Inception targets individuals in strategic positions, including executives in critical sectors like oil, finance, and engineering, as well as military officers, embassy personnel, and government officials. Their victimology has evolved with geopolitical shifts, particularly since 2021, with a recent focus on government, diplomatic, research, and industrial targets in Russia, Belarus, and regions impacted by the conflict in Ukraine and Moldova.

Tactics & Techniques

Inception’s operations typically commence with highly targeted spear-phishing emails containing malicious attachments. These documents often leverage well-known vulnerabilities, such as CVE-2012-0158, CVE-2014-1761, CVE-2017-11882, and CVE-2018-0802, to achieve initial compromise. A notable tactic involves using remote templates in Microsoft Word documents, allowing them to deliver payloads without explicit malicious objects in the initial email, thereby bypassing some static analysis techniques and enabling them to customize subsequent attacks based on initial system reconnaissance.

Upon successful initial access, Inception employs a multi-stage infection chain. They often use “reconnaissance documents” to fingerprint the target computer, gathering details about installed software, operating system versions, and hardware. Execution frequently involves PowerShell and VBScripts to run malicious commands and payloads, sometimes delivered via malicious HTA (HTML Application) files.

For persistence, Inception utilizes various techniques, including modifying Registry Run keys (e.g., HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\) and establishing WMI-based footholds. They have also been observed stealing session tokens for long-term cloud access, allowing them to maintain access even if credentials are reset. More recently, the group has adopted SSH tunnels and Tor for maintaining persistence within compromised systems.

Their command and control (C2) infrastructure is sophisticated and designed for stealth. Inception heavily relies on legitimate cloud service providers, such as Dropbox, Google, and CloudMe, for both staging malware and C2 communications, often utilizing the WebDAV protocol. They employ chains of compromised routers to proxy C2 communications, adding layers of obfuscation to their network traffic. The group’s malware is modular, allowing them to load specific plugins based on the requirements of each attack, and they incorporate polymorphic components to evade detection.

Data exfiltration is a core objective, and Inception uses specialized “file hunting” plugins to collect specific document types, including .txt, .pdf, .xls, and .doc files, from infected hosts. Exfiltrated data is often uploaded to cloud storage, and their network communications are typically encrypted using AES.

Intriguingly, Inception has also shown an interest in mobile devices, developing malware (e.g., Lastacloud for Android, iOS, and BlackBerry) capable of recording phone calls and exfiltrating information from these platforms. This mobile malware is reportedly spread via SMS messages and emails containing malicious links, using user profile pages on online forums as dead drops for C2.

Notable Campaigns

Inception has sustained a steady operational tempo since its emergence in 2014. While initially focused on Russia, the group’s targeting broadened considerably over the years. A significant shift in their victimology was observed from late 2021 into 2022, where their focus narrowed to Russia, Belarus, and conflict-affected areas in Ukraine and Moldova, particularly targeting government, diplomatic, and critical infrastructure sectors.

In 2022, they conducted phishing campaigns specifically aimed at employees of Russian government agencies. Further activity was noted in March-April 2022, targeting entities in the pro-Russian Transnistria region of Moldova. Throughout 2025 and into early 2026, Inception has continued persistent campaigns against government agencies and diplomatic entities in Russia and Belarus. They were also implicated in attacks against Russian military-industrial complex companies in late 2024 and early 2025, demonstrating an updated network infrastructure.

Associated Malware & Tools

Inception’s arsenal is characterized by modular and evolving malware, often utilizing publicly available tools alongside their custom developments. Key components include:

  • PowerShower: A PowerShell-based backdoor that serves as a primary tool for executing arbitrary commands, retrieving additional modules, and stealing sensitive data. It’s noted for its attention to detail in cleaning up traces of its activity.
  • VBShower: A backdoor delivered via polymorphic HTA files, used to install subsequent modular backdoors.
  • PowerModul: A new implant observed being deployed in the second half of 2024.
  • PowerTaskel: A non-public modification of the Mythic agent, also deployed in late 2024 campaigns.
  • RtcpProxy Tool: A script often received by PowerShower, designed for specific operational tasks.
  • Modular Backdoors/Plugins: The group employs various plugins, including a “file hunting plugin” to collect specific document types, a “detailed survey plugin” for comprehensive system information gathering (domain membership, processes, hardware enumeration, installed products), and a “browser plugin” capable of stealing passwords and sessions from multiple web browsers (Internet Explorer, Chrome, Opera, Firefox, Torch, Yandex).
  • Lastacloud: A family of mobile malware designed for Android, iOS, and BlackBerry devices, used for call recording and information exfiltration.
  • Open-source tools: Inception has been observed incorporating legitimate or open-source tools into their operations, such as LaZagne for credential dumping. More recently, they have leveraged utilities like ReverseSocks, SSH, and Tor for creating backup control channels and maintaining persistence. In late 2024, they deployed MeshCentral Agent and SystemBC as additional backdoors in response to containment efforts.
  • PowerCloud: A new tool identified in their arsenal during late 2025 and early 2026 activities.

Current Status

Inception remains an active and formidable cyber espionage threat. Recent reporting indicates sustained operations through late 2025 and early 2026, primarily targeting government agencies and diplomatic entities in Russia and Belarus. The group continues to adapt its toolset, introducing new malware like PowerModul, PowerTaskel, and PowerCloud, while also refining its use of established techniques and public utilities like SSH and Tor for C2 and persistence. Their reputation for high operational security and modular approach allows them to pivot rapidly and maintain a stealthy, persistent presence within targeted networks. Organizations in their target sectors, particularly in and around Russia and Belarus, should remain vigilant against Inception’s evolving tactics.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call