A sustained cyber espionage campaign attributed to the Cloud Atlas advanced persistent threat (APT) group has introduced a stealthy technique that modifies the Windows termsrv.dll library to enable multiple Remote Desktop Protocol (RDP) sessions on compromised systems.
Observed throughout 2025 and continuing into 2026, the activity primarily targets government and commercial entities in Russia and Belarus, combining legacy exploits with newly identified tools and persistence mechanisms.
When executed, these shortcuts silently launch PowerShell scripts hosted on remote infrastructure. In parallel, the group also weaponizes documents exploiting the Equation Editor vulnerability CVE-2018-0802 to download additional payloads.
Once executed, the PowerShell script establishes early persistence by storing a secondary payload (fixed.ps1) in the system’s temporary directory and configuring autorun via the Windows registry.
It simultaneously retrieves a decoy archive, extracts a PDF document, and displays it to the victim to mask malicious activity. During this distraction window, the script deletes forensic artifacts and launches the main payload.
The fixed.ps1 loader acts as a delivery mechanism for two primary backdoors: VBCloud and PowerShower. VBCloud operates as a file-stealing implant, deploying an encrypted payload (video.mds) that is decrypted in memory using RC4 and executed via a VBS loader. It exfiltrates sensitive documents such as DOC, PDF, and XLS files to attacker-controlled servers.
PowerShower, in contrast, focuses on reconnaissance and lateral movement. It collects system and domain information, executes remote PowerShell commands, and performs Kerberoasting attacks to extract Active Directory credentials.
It also deploys a credential harvesting module that leverages a UAC bypass via fodhelper.exe to gain elevated privileges, enabling access to SAM and SECURITY registry hives through shadow copies.
Cloud Atlas said in a report shared with GBhackers, active since 2014, continues to rely on phishing emails as its primary initial access vector. In recent campaigns, attackers distributed ZIP archives containing malicious LNK shortcut files.
A notable evolution in this campaign is the deployment of a PowerShell script named rdp_new.ps1, which modifies the Windows termsrv.dll file.
This library governs RDP session handling and normally restricts concurrent logins. The script takes ownership of the file, alters specific byte sequences, and restarts the RDP service.
APT Group Patches termsrv.dll
As a result, multiple simultaneous RDP sessions are enabled, allowing attackers to maintain hidden access without disrupting legitimate users. This significantly reduces the likelihood of detection.
To reinforce persistence and resilience, Cloud Atlas employs multiple tunneling techniques. Reverse SSH tunnels are established from infected hosts to attacker-controlled servers, bypassing inbound firewall restrictions.
These tunnels are managed using VBS scripts executed via tools like PsExec, and scheduled tasks ensure continued operation. In some cases, attackers modify file permissions to protect SSH keys from administrative access.
Additionally, modified versions of OpenSSH have been observed, replacing standard cryptographic libraries with custom ones to evade detection.
The group also deploys RevSocks, a Go-based tunneling utility, to create proxy channels into internal networks. Tor hidden services further extend access by exposing compromised systems via onion domains, enabling RDP connectivity over anonymized infrastructure.
Another newly identified tool, PowerCloud, collects administrative user data and exfiltrates it to Google Sheets in Base64-encoded format. This highlights the group’s shift toward using legitimate cloud services for data staging and exfiltration.
Telemetry indicates that the campaign heavily targets government and diplomatic organizations, aligning with Cloud Atlas’ historical focus. While some infrastructure overlaps with activity linked to the Head Mare group have been observed, the tactics and tooling remain distinct.
The continued use of publicly available tools such as SSH, Tor, and RevSocks, combined with advanced techniques like RDP manipulation, demonstrates Cloud Atlas’ evolving capabilities.
These layered persistence mechanisms complicate detection and remediation, underscoring the need for vigilant monitoring of system libraries, PowerShell activity, and unauthorized remote access configurations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
