FHN 
The Cloud Atlas advanced persistent threat (APT) group, also referred to as Cloud Atlas APT, has been linked to a sophisticated cyber espionage campaign that abuses the Windows termsrv.dll library to enable multiple Remote Desktop Protocol (RDP) sessions on compromised systems.
Researchers observed the campaign throughout 2025 and into 2026, with most targets including government agencies, diplomatic entities, and commercial organizations in Russia and Belarus. The operation combines phishing attacks, legacy vulnerabilities, custom malware, and stealthy persistence techniques to maintain long-term access inside victim environments.
The campaign demonstrates how attackers are increasingly blending legitimate administration tools with advanced malware techniques to avoid detection and maintain covert remote access.
Initial Access Through Phishing and Exploits
Cloud Atlas APT continues to rely heavily on phishing emails as its primary entry point. Attackers distribute ZIP archives containing malicious LNK shortcut files designed to silently execute PowerShell commands from attacker-controlled infrastructure.
At the same time, the threat actors also weaponize Microsoft Office documents exploiting the Equation Editor vulnerability, CVE-2018-0802, to download additional payloads onto infected systems.
Once executed, the PowerShell scripts establish persistence by saving a secondary script named fixed.ps1 in the Windows temporary directory and creating autorun entries through the Windows Registry.
To distract victims and reduce suspicion, the malware downloads a decoy archive, extracts a PDF document, and displays it on the screen while malicious activities continue in the background. During this stage, forensic traces are deleted and the primary payloads are launched.
VBCloud and PowerShower Backdoors
The fixed.ps1 script functions as a loader for two major malware components named VBCloud and PowerShower.
VBCloud File-Stealing Malware
VBCloud is mainly used for data theft. The malware deploys an encrypted payload named video.mds, which is decrypted in memory using RC4 encryption and executed through a Visual Basic Script (VBS) loader.
The malware searches for and exfiltrates sensitive files, including:
- DOC and DOCX documents
- PDF files
- XLS and spreadsheet data
- Other confidential business documents
Collected data is transmitted to attacker-controlled servers for further analysis and espionage purposes.
PowerShower for Reconnaissance and Lateral Movement
PowerShower focuses on reconnaissance, credential harvesting, and internal network movement. The malware gathers system and domain information, executes remote PowerShell commands, and supports lateral movement across enterprise environments.
Researchers observed the malware performing Kerberoasting attacks to extract Active Directory service account credentials. It also includes a credential harvesting module that abuses the fodhelper.exe UAC bypass technique to gain elevated privileges.
With administrative access, attackers can retrieve sensitive data from the SAM and SECURITY registry hives through Windows shadow copies.
Modification of termsrv.dll Enables Multiple RDP Sessions
A significant evolution in this campaign is the use of a PowerShell script called rdp_new.ps1, which directly modifies the Windows termsrv.dll library.
The termsrv.dll component controls Remote Desktop session management and normally prevents multiple simultaneous user logins. Cloud Atlas bypasses this restriction by taking ownership of the DLL file, patching specific byte sequences, and restarting the RDP service.
After modification, multiple concurrent RDP sessions become possible on the infected machine. This allows attackers to maintain hidden remote access without disconnecting legitimate users, significantly lowering the risk of detection.
This technique provides threat actors with stealthy persistence while blending malicious activity with normal administrator behavior.
Reverse SSH Tunnels and Stealth Persistence
To strengthen persistence and ensure continued remote access, Cloud Atlas deploys multiple tunneling and proxy mechanisms.
The attackers establish reverse SSH tunnels from compromised systems to remote servers under their control. These tunnels bypass inbound firewall restrictions and provide continuous access into internal networks.
The operation also uses:
- VBS scripts executed through PsExec
- Scheduled tasks for automatic tunnel recovery
- Modified file permissions to protect SSH keys
- Customized OpenSSH builds with altered cryptographic libraries
- RevSocks tunneling utilities written in Go
- Tor hidden services for anonymous RDP connectivity
These layered persistence mechanisms make incident response and remediation significantly more difficult.
PowerCloud Malware Uses Google Sheets for Data Exfiltration
Researchers also identified a newer tool called PowerCloud that collects administrative user information and exfiltrates the data to Google Sheets using Base64-encoded content.
The use of legitimate cloud services highlights Cloud Atlas’ growing focus on blending malicious traffic with normal enterprise activity, making traditional security monitoring more challenging.
Ongoing Threat to Government and Enterprise Networks
Telemetry linked to the campaign shows a strong focus on government, diplomatic, and high-value enterprise organizations, consistent with Cloud Atlas’ long-standing espionage objectives.
Although some infrastructure overlaps with activity associated with the Head Mare group have been observed, researchers noted that the malware families, techniques, and operational behavior remain distinct.
The continued use of publicly available tools such as SSH, Tor, PsExec, and RevSocks alongside advanced techniques like RDP manipulation demonstrates the group’s evolving capabilities and operational maturity.
Security teams are advised to closely monitor:
- Unauthorized changes to
termsrv.dll - Suspicious PowerShell execution
- Unexpected RDP configuration changes
- Reverse SSH connections
- Scheduled tasks linked to remote access tools
- Unusual use of cloud platforms for data transfers
The campaign highlights the increasing sophistication of modern cyber espionage operations and the importance of continuous monitoring for stealthy persistence mechanisms inside enterprise networks.
About the Author
