Home/ Threat Actors/ Inception

🌐Inception

🌐 Inception is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 22 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0100) ↗

14Use cases

0Articles

22Techniques

0IOCs

About this actor (MITRE)

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)

Known aliases

InceptionInception FrameworkCloud Atlas

Top techniques

T1005 · Data from Local System T1027.013 · Encrypted/Encoded File T1057 · Process Discovery

All other tracked techniques

T1059.001 · PowerShell T1059.005 · Visual Basic T1069.002 · Domain Groups T1071.001 · Web Protocols T1082 · System Information Discovery T1083 · File and Directory Discovery T1090.003 · Multi-hop Proxy T1102 · Web Service T1203 · Exploitation for Client Execution T1204.002 · Malicious File T1218.005 · Mshta T1218.010 · Regsvr32 T1221 · Template Injection T1518 · Software Discovery T1547.001 · Registry Run Keys / Startup Folder T1555.003 · Credentials from Web Browsers T1566.001 · Spearphishing Attachment T1573.001 · Symmetric Cryptography T1588.002 · Tool

Detection use cases (14)

Inception / Cloud Atlas remote-template injection chain — Office fetches RTF/DOTM then spawns mshta/cscript/regsvr32 AI · profile SΣ Inception / Cloud Atlas LOLBin C2 to legitimate cloud-storage providers (CloudMe, Yandex Disk, OpenDrive) AI · profile S 1Password activity from Tor exit node MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match