Cloudzy With a Chance of Global Cybercrime

Diving into details

• Halcyon's assessment reveals that Cloudzy is being utilized by various threat actors, including APT groups associated with the governments of China, Iran, North Korea, Russia, India, Pakistan, and Vietnam. 
• Additionally, a sanctioned Israeli spyware vendor known for targeting civilians also employs Cloudzy's services. Criminal syndicates and ransomware affiliates, responsible for prominent cyber campaigns, are among the users of Cloudzy's platform as well.
• Cloudzy functions as a C2P, offering hackers a convenient platform to launch attacks, obscure their online activities, and complicate attribution efforts. 
• It accepts cryptocurrencies, providing anonymous access to its RDP Virtual Private Server (VPS) services.

Who operates Cloudzy?

• Cloudzy is believed to be associated with abrNOC, a company located on Fatemi Square in Tehran. The blogs posted by Cloudzy are authored by individuals who either do not exist or are using fake names. 
• Additionally, both companies' logos bear striking similarities, with Cloudzy's logo in purple and abrNOC's in blue, red, and green.
• Halcyon confidently concluded that Cloudzy is highly likely to be a front for abrNOC, the actual hosting company operating from Iran.

Associated ransomware actors

• Halcyon's analysis reveals connections between the ransomware operator "Space Kook" and an initial access broker called Exotic Lily, previously linked to Russian cybercrime group FIN12 and Conti ransomware. 
• Cloudzy's malicious was associated with various state-aligned groups, including UNC2352, accused of Ryuk ransomware attacks on hospitals.

The bottom line