The well-known advanced persistent threat (APT) group Cloud Atlas has been caught using a sophisticated new technique to hijack Windows systems while avoiding detection: directly modifying a core Windows system file called termsrv.dll to enable multiple simultaneous Remote Desktop Protocol (RDP) sessions on victim hosts. This allows the attackers to maintain covert access in the background while a legitimate user continues working, making detection substantially harder for security operations teams.
About Cloud Atlas: A Persistent Espionage Threat
Cloud Atlas has been active since at least 2014, with a consistent focus on government agencies, diplomatic organizations, and state institutions — particularly across Russia and Belarus. Over the past year, the group has significantly ramped up operations, blending phishing techniques with new custom tools specifically designed for long-term persistence and covert access.
Researchers at Securelist, who identified this latest wave of activity, note that the group expanded its toolkit significantly in the second half of 2025 and into early 2026. The attackers combine utilities such as Tor, SSH, and RevSocks with custom malware to make detection especially difficult for defenders.
Initial Access: Phishing Leading to Multi-Stage Infection
The initial entry point in most confirmed intrusions was a phishing email carrying a ZIP archive containing a malicious shortcut file (.LNK). When a victim opens the shortcut, it silently executes a PowerShell script pulled from an external server. That script performs several critical steps:
- Establishes persistence on the compromised system
- Downloads a decoy PDF document to distract the victim
- Removes initial infection traces to hinder forensic investigation
- Deploys a backdoor called VBCloud and a reconnaissance tool called PowerShower
Once inside the network, the group moves laterally and executes the termsrv.dll modification. They also establish reverse SSH tunnels as backup access channels, so even if the primary backdoor is detected and removed, the attackers retain a path back into the compromised environment.
The termsrv.dll Technique: Covert RDP Access
The centerpiece of this campaign is a PowerShell script named rdp_new.ps1 that directly modifies termsrv.dll on Windows 10 systems. Under default Windows configuration, the Remote Desktop service limits each system to a single concurrent RDP session. By patching termsrv.dll, Cloud Atlas removes this restriction.
The script executes in a precise sequence:
- Adds a Windows Firewall rule to permit RDP traffic on the standard port
- Relaxes remote access security settings in the registry
- Takes ownership of the termsrv.dll file and grants itself full access rights
- Replaces a specific byte sequence in the DLL to remove the single-session restriction
- Restarts the Remote Desktop service to apply the change
After patching, the attackers can connect via RDP while the legitimate user continues their normal session. Neither party disrupts the other, and to the victim, nothing appears amiss. This technique is particularly dangerous because it leverages a built-in Windows capability rather than deploying standalone malware, making it harder for traditional antivirus solutions to flag it as malicious.
Why This Technique Is Difficult to Detect
Several factors make this intrusion technique especially challenging for defenders:
- No new executables dropped: The attack leverages PowerShell and modifies a legitimate system file, reducing the malware surface area that security tools typically scan.
- Coexistence with legitimate users: Because both the attacker and the victim can have active sessions simultaneously, there are no sudden logouts or session disruptions that would alert administrators.
- Layered persistence: The combination of VBCloud backdoor, reverse SSH tunnels, and the patched RDP service creates multiple independent footholds that must all be addressed to fully evict the attacker.
Detection and Defensive Guidance
Organizations targeted by Cloud Atlas or at risk from similar APT groups should implement the following defensive measures:
- Monitor for unexpected modifications to
termsrv.dllusing file integrity monitoring (FIM) solutions. - Alert on PowerShell scripts that take ownership of system DLL files or modify Windows Firewall rules.
- Use network monitoring to detect unusual outbound SSH connections and unexpected RDP session multiplexing.
- Restrict RDP access using network segmentation and ensure multi-factor authentication is enforced for all remote access.
- Conduct regular threat hunting for VBCloud and PowerShower indicators of compromise within your environment.
The continued evolution of Cloud Atlas tactics underscores the need for layered defenses and proactive threat hunting, particularly for organizations in the government, diplomatic, and critical infrastructure sectors that remain high-priority targets for this group.