An infamous advanced persistent threat (APT) group known as Cloud Atlas has been identified using a sophisticated method to infiltrate Windows systems without raising any alarms on the network. This technique involves altering a critical Windows file, termsrv.dll, to enable multiple Remote Desktop Protocol (RDP) sessions on a single machine, allowing attackers to operate stealthily alongside legitimate users.
Cloud Atlas has been active since 2014, intensifying its efforts over the past year by targeting governmental and diplomatic sectors, especially in Russia and Belarus. Their campaigns have become more refined, incorporating phishing strategies and advanced tools that evade detection. The group employs a mix of resources like Tor, SSH, and RevSocks, coupled with custom malware, to complicate identification by security teams.
Advanced Tactics and Persistent Threats
According to Securelist researchers, Cloud Atlas notably expanded its toolset in the latter half of 2025 and into early 2026. The group primarily targets state and diplomatic entities, utilizing a blend of new and traditional techniques to maintain ongoing access to compromised networks. The attack sequence often begins with a phishing email containing a ZIP file, which holds a harmful shortcut. When executed, this shortcut launches a PowerShell script from an external server, setting the stage for further exploitation.
The PowerShell script establishes persistence, downloads a decoy PDF to distract the user, erases infection traces, and deploys payloads such as the VBCloud backdoor and PowerShower reconnaissance tool. Once inside, the attackers modify termsrv.dll to maintain access while avoiding detection.
Termsrv.dll Modification and RDP Exploitation
The heart of the attack is a PowerShell script named rdp_new.ps1, which modifies termsrv.dll in Windows 10. This file governs the Remote Desktop service, typically limiting the system to one concurrent RDP session. The script implements a firewall rule to permit RDP traffic and relaxes remote security settings, then alters termsrv.dll to bypass the single-session limitation. Following this change, attackers can maintain remote connections without interrupting the legitimate user’s activities, making it difficult for network defenders to detect the intrusion.
Standard monitoring tools may overlook alterations to system DLLs, providing attackers with a substantial window to operate undetected within compromised systems.
Layered Access and Defensive Measures
Cloud Atlas employs layered access strategies by deploying reverse SSH tunnels in addition to the RDP modifications. Compromised machines initiate outbound SSH connections to servers under the attackers’ control, often bypassing firewall restrictions that block incoming traffic. These connections appear as regular outbound traffic to many security systems.
To ensure persistence, the group uses VBS scripts via PAExec or PsExec to schedule these tunnels as Windows tasks, ensuring they restart automatically. In some cases, they also leverage RevSocks, a Go-based proxy tool, and route RDP access through Tor, using hidden .onion addresses. This multilayered approach means that eliminating one access point doesn’t necessarily expel the attackers.
Security teams are advised to monitor for unexpected changes to termsrv.dll, scrutinize Windows Firewall adjustments, and audit scheduled tasks for unfamiliar scripts. Additionally, vigilance in tracking unusual outbound SSH connections and blocking known malicious domains at the network perimeter is crucial to mitigating exposure to this ongoing threat.
For continuous updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source in your Google settings for more timely information.
.webp?ssl=1 "AI Tools Facilitate Advanced Phishing Attacks")
