Threat Actor Profile
High APT
Description

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)

Confidence Score
90%
Known Aliases
Inception Inception Framework Cloud Atlas
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (22)
T1005 - Data from Local System
Collection
T1071.001 - Web Protocols
Command and Control
T1090.003 - Multi-hop Proxy
Command and Control
T1102 - Web Service
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.010 - Regsvr32
Defense Evasion
T1221 - Template Injection
Defense Evasion
T1057 - Process Discovery
Discovery
T1069.002 - Domain Groups
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1518 - Software Discovery
Discovery
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Inception', 'Inception Framework', 'Cloud Atlas'],
 'created': '2020-05-08T17:01:04.058Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Inception](https://attack.mitre.org/groups/G0100) is a cyber '
                'espionage group active since at least 2014. The group has '
                'targeted multiple industries and governmental entities '
                'primarily in Russia, but has also been active in the United '
                'States and throughout Europe, Asia, Africa, and the Middle '
                'East.(Citation: Unit 42 Inception November 2018)(Citation: '
                'Symantec Inception Framework March 2018)(Citation: Kaspersky '
                'Cloud Atlas December 2014)',
 'external_references': [{'external_id': 'G0100',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0100'},
                         {'description': '(Citation: Kaspersky Cloud Atlas '
                                         'December 2014)',
                          'source_name': 'Cloud Atlas'},
                         {'description': '(Citation: Symantec Inception '
                                         'Framework March 2018)',
                          'source_name': 'Inception'},
                         {'description': '(Citation: Symantec Inception '
                                         'Framework March 2018)',
                          'source_name': 'Inception Framework'},
                         {'description': 'GReAT. (2014, December 10). Cloud '
                                         'Atlas: RedOctober APT is back in '
                                         'style. Retrieved May 8, 2020.',
                          'source_name': 'Kaspersky Cloud Atlas December 2014',
                          'url': 'https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/'},
                         {'description': 'Lancaster, T. (2018, November 5). '
                                         'Inception Attackers Target Europe '
                                         'with Year-old Office Vulnerability. '
                                         'Retrieved May 8, 2020.',
                          'source_name': 'Unit 42 Inception November 2018',
                          'url': 'https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/'},
                         {'description': 'Symantec. (2018, March 14). '
                                         'Inception Framework: Alive and Well, '
                                         'and Hiding Behind Proxies. Retrieved '
                                         'May 8, 2020.',
                          'source_name': 'Symantec Inception Framework March '
                                         '2018',
                          'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies'}],
 'id': 'intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd',
 'modified': '2024-04-11T02:15:23.096Z',
 'name': 'Inception',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Oleg Skulkin, Group-IB'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (22)
Data from Local System
Collection
Web Protocols
Command and Control
Multi-hop Proxy
Command and Control
Web Service
Command and Control
Symmetric Cryptography
Command and Control
View All 22 TTPs
Back to Threat Actors
Dashboard Home