Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Cloud Atlas APT Exploits Windows for Multiple RDP Sessions

Cloud Atlas APT Exploits Windows for Multiple RDP Sessions

Posted on May 25, 2026 By CWS

An infamous advanced persistent threat (APT) group known as Cloud Atlas has been identified using a sophisticated method to infiltrate Windows systems without raising any alarms on the network. This technique involves altering a critical Windows file, termsrv.dll, to enable multiple Remote Desktop Protocol (RDP) sessions on a single machine, allowing attackers to operate stealthily alongside legitimate users.

Cloud Atlas has been active since 2014, intensifying its efforts over the past year by targeting governmental and diplomatic sectors, especially in Russia and Belarus. Their campaigns have become more refined, incorporating phishing strategies and advanced tools that evade detection. The group employs a mix of resources like Tor, SSH, and RevSocks, coupled with custom malware, to complicate identification by security teams.

Advanced Tactics and Persistent Threats

According to Securelist researchers, Cloud Atlas notably expanded its toolset in the latter half of 2025 and into early 2026. The group primarily targets state and diplomatic entities, utilizing a blend of new and traditional techniques to maintain ongoing access to compromised networks. The attack sequence often begins with a phishing email containing a ZIP file, which holds a harmful shortcut. When executed, this shortcut launches a PowerShell script from an external server, setting the stage for further exploitation.

The PowerShell script establishes persistence, downloads a decoy PDF to distract the user, erases infection traces, and deploys payloads such as the VBCloud backdoor and PowerShower reconnaissance tool. Once inside, the attackers modify termsrv.dll to maintain access while avoiding detection.

Termsrv.dll Modification and RDP Exploitation

The heart of the attack is a PowerShell script named rdp_new.ps1, which modifies termsrv.dll in Windows 10. This file governs the Remote Desktop service, typically limiting the system to one concurrent RDP session. The script implements a firewall rule to permit RDP traffic and relaxes remote security settings, then alters termsrv.dll to bypass the single-session limitation. Following this change, attackers can maintain remote connections without interrupting the legitimate user’s activities, making it difficult for network defenders to detect the intrusion.

Standard monitoring tools may overlook alterations to system DLLs, providing attackers with a substantial window to operate undetected within compromised systems.

Layered Access and Defensive Measures

Cloud Atlas employs layered access strategies by deploying reverse SSH tunnels in addition to the RDP modifications. Compromised machines initiate outbound SSH connections to servers under the attackers’ control, often bypassing firewall restrictions that block incoming traffic. These connections appear as regular outbound traffic to many security systems.

To ensure persistence, the group uses VBS scripts via PAExec or PsExec to schedule these tunnels as Windows tasks, ensuring they restart automatically. In some cases, they also leverage RevSocks, a Go-based proxy tool, and route RDP access through Tor, using hidden .onion addresses. This multilayered approach means that eliminating one access point doesn’t necessarily expel the attackers.

Security teams are advised to monitor for unexpected changes to termsrv.dll, scrutinize Windows Firewall adjustments, and audit scheduled tasks for unfamiliar scripts. Additionally, vigilance in tracking unusual outbound SSH connections and blocking known malicious domains at the network perimeter is crucial to mitigating exposure to this ongoing threat.

For continuous updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source in your Google settings for more timely information.

Cyber Security News Tags:APT, Cloud Atlas, Cybersecurity, Malware, Phishing, PowerShell, RDP, Securelist, termsrv.dll, Windows security

Post navigation

Previous Post: North Korean Malware Evades Detection with New Tactics
Next Post: Critical Flaw in LMS Exploited for Cyber Attacks

Related Posts

Google Drive Desktop for Windows Vulnerability Grants Full Access to Another User’s Drive Google Drive Desktop for Windows Vulnerability Grants Full Access to Another User’s Drive Cyber Security News
Threat Actors Using AI Generated Malicious Job Offers to Deploy PureRAT Threat Actors Using AI Generated Malicious Job Offers to Deploy PureRAT Cyber Security News
Threat Actors Abuse Adtech Companies to Target Users With Malicious Ads Threat Actors Abuse Adtech Companies to Target Users With Malicious Ads Cyber Security News
17,000+ Fake News Websites Caught Promoting Investment Frauds 17,000+ Fake News Websites Caught Promoting Investment Frauds Cyber Security News
Kazuar Malware: A Stealthy Tool for Cyber Espionage Kazuar Malware: A Stealthy Tool for Cyber Espionage Cyber Security News
How Microsoft Azure Storage Logs Aid Forensics Following a Security Breach How Microsoft Azure Storage Logs Aid Forensics Following a Security Breach Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI-Powered Forg365 Platform Targets Microsoft 365 Accounts
  • CISA Reviews Cybersecurity Incident from AWS Credential Leak
  • Dell BIOS Vulnerability Enables Quick Password Retrieval
  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI-Powered Forg365 Platform Targets Microsoft 365 Accounts
  • CISA Reviews Cybersecurity Incident from AWS Credential Leak
  • Dell BIOS Vulnerability Enables Quick Password Retrieval
  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark