A well-known advanced persistent threat group called Cloud Atlas has been caught using a dangerous technique to hijack Windows systems without alerting anyone on the network.
The group modifies a core Windows file called termsrv.dll to unlock multiple simultaneous Remote Desktop Protocol (RDP) sessions on a victim’s computer. This lets attackers work in the background while a legitimate user stays logged in, making detection much harder for security teams.
Cloud Atlas has been active since at least 2014, and over the past year the group ramped up attacks against government agencies and diplomatic organizations, particularly in Russia and Belarus.
Campaigns have grown more sophisticated, blending phishing tricks with new tools designed to stay hidden as long as possible. The group combines utilities like Tor, SSH, and RevSocks with custom malware to make detection especially difficult.
Researchers at Securelist identified this latest wave of activity, noting the group’s toolkit expanded significantly in the second half of 2025 and into early 2026.
Securelist said in a report shared with Cyber Security News (CSN) that the attackers target state institutions and diplomatic bodies, using new and established techniques to maintain persistent access inside compromised networks.
The initial entry point in most cases was a phishing email carrying a ZIP archive with a malicious shortcut file. When a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server.
That script sets up persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads including a backdoor called VBCloud and a reconnaissance tool called PowerShower.
Once inside a network, the group moves laterally and executes the termsrv.dll modification. This lets them maintain access without forcing any existing user offline, reducing the chance anyone notices something is wrong.
The attackers also set up reverse SSH tunnels as backup channels, so even if the main backdoor is found, they can still reach the compromised machine.
Cloud Atlas APT Group Modifies termsrv.dll
The key weapon in this campaign is a PowerShell script named rdp_new.ps1 that directly modifies termsrv.dll in Windows 10.
Termsrv.dll controls how the Remote Desktop service behaves, and by default Windows limits the system to a single concurrent RDP session. The script first adds a firewall rule to allow RDP traffic and relaxes remote access security settings before touching the file.
The script takes ownership of termsrv.dll, grants itself full access rights, and replaces a specific byte sequence to remove the single-session restriction. After the patch is applied, the RDP service restarts and the change takes effect.
Attackers can then connect remotely while the legitimate user continues working, with neither party disrupting the other. This technique is dangerous because it targets a trusted Windows system file rather than an obviously suspicious third-party tool.
.webp)
Standard monitoring may not flag changes to an existing system DLL, giving attackers a wide window to operate inside an infected host without raising alarms.
Reverse SSH Tunnels and Layered Persistence
Cloud Atlas layers its access by deploying reverse SSH tunnels alongside the RDP manipulation. A compromised machine initiates an outbound SSH connection to an attacker-controlled server, bypassing most firewall rules that block incoming connections.
Since the connection starts from inside the network, it appears as normal outbound traffic to many security monitoring systems.
To keep tunnels running, the group uses VBS scripts executed through PAExec or PsExec and schedules them as Windows tasks for automatic restarting.
In some cases, the group also deployed RevSocks, a Go-based proxy tool, and used Tor to route RDP access through hidden .onion addresses. These layered channels mean removing one access method does not guarantee the attackers are fully evicted.
.webp)
Security teams should monitor for unexpected changes to termsrv.dll, review Windows Firewall modifications, and audit scheduled tasks for unfamiliar VBS or PowerShell entries.
Watching for unusual outbound SSH connections and blocking known malicious domains at the network perimeter are also critical steps in reducing exposure to this ongoing threat.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| MD5 Hash | 1A11B26DD0261EF27A112CE8B361C247 | rdp_new.ps1 — termsrv.dll modification script |
| MD5 Hash | 5329F7BFF9D0D5DB28821B86C26D628F | Browser checker script compiled via PS2EXE |
| File Path | C:Users[username]Picturesgoogleearth.ps1 | PowerShower persistence path |
| File Path | C:Windowswininet.exe | PowerCloud malware path |
| File Path | C:WindowsLiveKernelReportsupdate.exe | PowerCloud malware path |
| File Path | C:Windowsimeimejpdictsi39884.exe | PowerCloud malware path |
| File Path | C:Windowsplareports.exe | PowerCloud malware path |
| File Path | C:Windowsplareportswinlog.exe | PowerCloud malware path |
| File Path | C:WindowsSystem32timecontrolsvcvmnetdrv64.exe | PowerCloud / RevSocks path |
| File Path | C:Windowsbrandingscat.exe | PowerCloud malware path |
| File Path | C:WindowsPLASystembounce.exe | RevSocks malware path |
| File Path | C:ProgramDatahpclient.exe | RevSocks malware path |
| File Path | C:WindowsINFRun.vbs | VBS tunnel script |
| File Path | C:WindowsINFinstall.vbs | VBS tunnel script |
| File Path | C:WindowsPLASystemGen.vbs | VBS tunnel script (key generation) |
| File Path | C:WindowsPLASystemKill.vbs | VBS tunnel script (kill SSH) |
| File Path | C:WindowsPLASystemRun.vbs | VBS tunnel script (run SSH) |
| File Path | C:WindowsPLASystemconhosts.exe | SSH executable |
| File Path | C:WindowsINFBITSesentprf.exe | SSH executable |
| IP Address | 194.102.104[.]207 | C2 / SSH tunnel server |
| IP Address | 46.17.45[.]56 | C2 / SSH tunnel server |
| IP Address | 46.17.45[.]49 | C2 / SSH tunnel server |
| IP Address | 46.17.44[.]125 | Tor client C2 server |
| IP Address | 46.17.44[.]212 | Tor client C2 server |
| IP Address | 185.22.154[.]73 | Tor client C2 server |
| IP Address | 194.87.196[.]163 | Tor client C2 server |
| IP Address | 195.58.49[.]99 | Tor client C2 server |
| IP Address | 3.125.114[.]193 | Tor client C2 server |
| IP Address | 3.125.114[.]57 | Tor client C2 server |
| IP Address | 45.87.219[.]116 | Tor client C2 server |
| IP Address | 37.228.129[.]224 | Tor client C2 server |
| IP Address | 185.53.179[.]136 | Tor client C2 server |
| IP Address | 185.126.239[.]77 | Tor client C2 server |
| IP Address | 5.181.21[.]75 | Tor client C2 server |
| IP Address | 146.70.53[.]171 | Tor client C2 server |
| IP Address | 45.15.65[.]134 | Tor client C2 server |
| IP Address | 185.250.181[.]207 | Tor client C2 server |
| IP Address | 81.30.105[.]71 | Tor client C2 server |
| Domain | tenkoff[.]org | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | cloudguide[.]in | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | goverru[.]com | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | kufar[.]org | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | ultimatecore[.]net | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | spbnews[.]net | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | onedrivesupport[.]net | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | amerikastaj[.]com | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | bigbang[.]me | Reverse SSH tunnel / SOCKS proxy domain |
| Domain | wizzifi[.]com | Malicious / compromised domain in Office docs |
| Domain | totallegacy[.]org | Malicious / compromised domain in Office docs |
| Domain | mamurjor[.]com | Malicious / compromised domain in Office docs |
| Domain | landscapeuganda[.]com | Malicious / compromised domain in Office docs |
| Domain | lafortunaitalian.co[.]uk | Malicious / compromised domain in Office docs |
| Domain | kommando[.]live | Malicious / compromised domain in Office docs |
| Domain | internationalcommoditiesllc[.]com | Malicious / compromised domain in Office docs |
| Domain | humanitas[.]si | Malicious / compromised domain in Office docs |
| Domain | fishingflytackle[.]com | Malicious / compromised domain in Office docs |
| Domain | firsai.tipshub[.]net | Malicious / compromised domain in Office docs |
| Domain | alnakhlah.com[.]sa | Malicious / compromised domain in Office docs |
| Domain | allgoodsdirect.com[.]au | Malicious / compromised domain in Office docs |
| Domain | agenciakharis.com[.]br | Malicious / compromised domain in Office docs |
| Domain | istochnik[.]org | Malicious / compromised domain in Office docs |
| Domain | znews[.]net | Malicious / compromised domain in Office docs |
| Domain | iinvestika-club[.]com | Malicious / compromised domain in Office docs |
| Domain | paleturquoise-dragonfly-364512.hostingersite[.]com | PowerShell payload hosting domain |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
