The past decade has ushered in rapid shifts in the global cyberespionage landscape, with actors utilizing cloud native tooling, modular malware, and advanced social engineering to infiltrate government, diplomatic and high value networks around the world. In this threat actor group, one actor came to attention during our ongoing investigations – Inception Framework, also known as Blue Odin, Cloud Atlas, Clean Ursa, ATK116, G0100 and OXYGEN. They are arguably one of the more persistent, stealth-focused espionage groups currently operating.
Inception Framework has been tracked since at least 2014 and has earned a robust reputation for consistently maintaining high operational security (OPSEC), performing highly targeted spearphishing, and being able to pivot rapidly based on changing technology and tools. This blog provides a structured analysis of Inception Framework – its identity, its motivation, its tactics, its operational history, and more recently its evolution.
Introduction: A Stealth-Focused Espionage Actor
Notably, the Inception Framework surfaced amidst heightened geopolitical tension, where state influence relied heavily on cyber operations. Despite attribution being open to debate, several intelligence community assessments suggest the group is Russian-speaking and aligned with the interests of a state related to strategic intelligence collection.
Unlike financially-motivated actors, the Inception Framework is focused on long-term, continuous access into high-value networks. Their fundamental operational objective remains intelligence collection, including diplomatic communications, classified government documents, documents providing strategic lines of effort, and sensitive research from the defense and energy sectors.
Inception Framework’s defining feature of campaign design includes disciplined spearphishing, scheduled malware staged on cloud services, and C2 architecture with multiple layers to minimize forensic visibility.
Identity & Motivation
Who Is Inception Framework?
Inception Framework is a multi-staged espionage actor which operates under tight OPSEC and a modular toolset. They are also known as Cloud Atlas and ATK116, depending on the intelligence vendor, but they share the same operational footprint.
Core Motivation
• Long-term espionage objectives
• Credential harvesting focused on access to critical networks
• Monitoring diplomatic and/or governmental communications
• Intelligence gathering that supports energy, defense intelligence, and geopolitical objectives
The group constantly prioritizes stealth, persistence and adaptability, which makes them difficult to detect and especially to eject from a network if they successfully evade detection.
TTPs: Craftsmanship in Espionage Operations
The group’s techniques have changed greatly since 2014, showing an organized effort towards modular tooling and cloud obfuscation.
1. Initial Access: Precision Spearphishing & Cloud Abuse
Framework is known for:
– Highly tailored, targeted, spearphishing emails utilizing geopolitical lures
– Malicious document attachments leveraging Microsoft Office vulnerable libraries
– Current-enabled OAuth abuse towards major cloud providers, such as Google, Azure or O365
– Multi-stage droppers disguised as documents related to diplomacy or policy
The initial access techniques they do take advantage of human trust, policy workflows, and cloud integration to bypass traditional security controls.
2. Persistence: Long-Term Espionage Footprint
Persistence is a fundamental aspect of their approach. Techniques used include:
– Modular backdoors with encrypted configuration files.
– WMI-based persistence across Windows hosts
– Registry-based footholds
– Session token theft for long-term cloud access
Combined with local persistence and the theft of cloud access tokens, the group can maintain access, even after positive credentials have been reset.
3. Command & Control: Cloud-Centric and Obfuscated
Inception continues to use cloud services as both staging and C2 channels:
– Abuse of Dropbox, Google Drive, and OneDrive for payload delivery
– Dynamic DNS cycling to obscure endpoint infrastructure
– Encrypted, low-noise C2 traffic that blends into benign user activity
– Multi-stage payload delivery, to minimize attribution
This cloud-centric method makes detection significantly harder for standard on-premise security products.
4. Malware & Tools: Modular, Encrypted, and Adaptable
Inception has built custom malware families specifically for stealth and threat flexibility:
– Encrypted droppers based on documents
– PowerShell reconnaissance frameworks
– Second-stage payloads hosted in the cloud
– Cross-platform implants targeting Windows, Linux, and mobile devices
Each tool, again, emphasis minimized forensic artifacts and OPSEC principles.
Notable Operations: A Timeline of Activity
2014–2016: Initial Discovery
Security researchers note Cloud Atlas operations linked to European government and diplomatic activity. Early operations involved encrypted document droppers and payloads hosted in the cloud
2017–2019: Expansion into Middle East & Central Asia
The group expanded its operations, employing spearphishing and cloud C2 with targeting of ministries, foreign ministries, and telecommunications service providers
2020–2022: Shift Toward Cloud-Hosted Malware Delivery
With the continued rise of global cloud adoption, Inception began more frequently using cloud storage services to stage on-second stage malware, greatly increasing operational stealth.
2023–2025: Renewed Espionage Surge
The most recent spate of activity involved OAuth hijacking of accounts, enhanced modular backdoors, and even more advanced spearphishing targeting defense and national security organizations
The group’s continued activity across a range of geopolitical hotspots gives insight into areas of potential sustained alignment to longer-term collection targets.
Recent Developments & Evolution
The Inception Framework has been further developing its tradecraft in multiple key areas:
– More sophisticated spearphishing templates that are attached to real diplomatic events
– More abuse of the cloud ecosystem for staging, C2, and data exfiltration
– Further encryption at every stage, making reverse engineering difficult
– Expanded targeting in Africa and the Asia-Pacific region
– Improved OPSEC to avoid overlaps in infrastructure from prior campaigns
These adaptations represent a threat actor that has evolved a step ahead of strategic relevance, and operational stealth.
Conclusion: Strategic Impact & Defensive Recommendations
The Inception Framework represents the next evolution of state-sponsored espionage: cloud-first, modular, and highly persistent. Their central focus on government, diplomatic, and national security spaces reflects the strategic implication on the organization.
Defensive Takeaways
In defense of the Inception Framework, enterprises should:
– Deploy phishing-resistant MFA and monitor OAuth
– Monitor for anomalous cloud behavior and token hijacking
– Require rigorous logging and alerts on WMI, registry changes, and accessing cloud resources
– Segment sensitive government and diplomatic networks
– Monitor for low signal/low noise intrusions with advanced behavioral analytics
As the world becomes increasingly digital from a geopolitical perspective, the Inception Framework, and similar groups, will remain a major threat. Their extensive cloud traffic capability, modular payload delivery, and ability to persist in a stealthy, long-term access puts them among the most advanced espionage actors in the world today.
You can download and review the sheet for all the details!
