Background and Attack Method
The Cloud Atlas advanced persistent threat group has been observed exploiting a critical Windows component to evade detection during network intrusions. By modifying the termsrv.dll file, which governs Remote Desktop Protocol (RDP) behavior, the group unlocks multiple simultaneous RDP sessions on a compromised host. This allows attackers to work in the background while the legitimate user remains logged in, making their presence harder for security teams to identify.
Active since at least 2014, Cloud Atlas has intensified operations against government agencies and diplomatic organizations, especially in Russia and Belarus. The group blends phishing attacks with custom tools, including Tor, SSH, RevSocks, and malware such as the VBCloud backdoor and PowerShower reconnaissance utility.
Impact and Scope
The attack chain typically begins with a phishing email containing a ZIP archive and a malicious shortcut file. When executed, it runs a PowerShell script that establishes persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads. Researchers at Securelist documented this wave of activity, noting the group’s toolkit expanded significantly through late 2025 and into early 2026.
Once inside a network, the group moves laterally and applies the termsrv.dll modification using a PowerShell script called rdp_new.ps1, which targets Windows 10 systems. This technique enables attackers to maintain access without forcing users offline, reducing the chance of detection. They also set up reverse SSH tunnels as backup channels, ensuring continued access even if the primary backdoor is discovered.
Source: Cyber Security News
