Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts

A well-known advanced persistent threat group called Cloud Atlas has been caught using a dangerous technique to hijack Windows systems without alerting anyone on the network.

The group modifies a core Windows file called termsrv.dll to unlock multiple simultaneous Remote Desktop Protocol (RDP) sessions on a victim’s computer. This lets attackers work in the background while a legitimate user stays logged in, making detection much harder for security teams.

Cloud Atlas has been active since at least 2014, and over the past year the group ramped up attacks against government agencies and diplomatic organizations, particularly in Russia and Belarus.

Campaigns have grown more sophisticated, blending phishing tricks with new tools designed to stay hidden as long as possible. The group combines utilities like Tor, SSH, and RevSocks with custom malware to make detection especially difficult.

Researchers at Securelist identified this latest wave of activity, noting the group’s toolkit expanded significantly in the second half of 2025 and into early 2026. 

Securelist said in a report shared with Cyber Security News (CSN) that the attackers target state institutions and diplomatic bodies, using new and established techniques to maintain persistent access inside compromised networks.

The initial entry point in most cases was a phishing email carrying a ZIP archive with a malicious shortcut file. When a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server.

That script sets up persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads including a backdoor called VBCloud and a reconnaissance tool called PowerShower.

Once inside a network, the group moves laterally and executes the termsrv.dll modification. This lets them maintain access without forcing any existing user offline, reducing the chance anyone notices something is wrong.

The attackers also set up reverse SSH tunnels as backup channels, so even if the main backdoor is found, they can still reach the compromised machine.

Cloud Atlas APT Group Modifies termsrv.dll

The key weapon in this campaign is a PowerShell script named rdp_new.ps1 that directly modifies termsrv.dll in Windows 10.

Termsrv.dll controls how the Remote Desktop service behaves, and by default Windows limits the system to a single concurrent RDP session. The script first adds a firewall rule to allow RDP traffic and relaxes remote access security settings before touching the file.

The script takes ownership of termsrv.dll, grants itself full access rights, and replaces a specific byte sequence to remove the single-session restriction. After the patch is applied, the RDP service restarts and the change takes effect.

Attackers can then connect remotely while the legitimate user continues working, with neither party disrupting the other.

Standard monitoring may not flag changes to an existing system DLL, giving attackers a wide window to operate inside an infected host without raising alarms.

Reverse SSH Tunnels and Layered Persistence

Cloud Atlas layers its access by deploying reverse SSH tunnels alongside the RDP manipulation. A compromised machine initiates an outbound SSH connection to an attacker-controlled server, bypassing most firewall rules that block incoming connections.

Since the connection starts from inside the network, it appears as normal outbound traffic to many security monitoring systems.

To keep tunnels running, the group uses VBS scripts executed through PAExec or PsExec and schedules them as Windows tasks for automatic restarting.

In some cases, the group also deployed RevSocks, a Go-based proxy tool, and used Tor to route RDP access through hidden .onion addresses. These layered channels mean removing one access method does not guarantee the attackers are fully evicted.

Security teams should monitor for unexpected changes to termsrv.dll, review Windows Firewall modifications, and audit scheduled tasks for unfamiliar VBS or PowerShell entries.

Watching for unusual outbound SSH connections and blocking known malicious domains at the network perimeter are also critical steps in reducing exposure to this ongoing threat.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
MD5 Hash	1A11B26DD0261EF27A112CE8B361C247	rdp_new.ps1 — termsrv.dll modification script
MD5 Hash	5329F7BFF9D0D5DB28821B86C26D628F	Browser checker script compiled via PS2EXE
File Path	C:Users[username]Picturesgoogleearth.ps1	PowerShower persistence path
File Path	C:Windowswininet.exe	PowerCloud malware path
File Path	C:WindowsLiveKernelReportsupdate.exe	PowerCloud malware path
File Path	C:Windowsimeimejpdictsi39884.exe	PowerCloud malware path
File Path	C:Windowsplareports.exe	PowerCloud malware path
File Path	C:Windowsplareportswinlog.exe	PowerCloud malware path
File Path	C:WindowsSystem32timecontrolsvcvmnetdrv64.exe	PowerCloud / RevSocks path
File Path	C:Windowsbrandingscat.exe	PowerCloud malware path
File Path	C:WindowsPLASystembounce.exe	RevSocks malware path
File Path	C:ProgramDatahpclient.exe	RevSocks malware path
File Path	C:WindowsINFRun.vbs	VBS tunnel script
File Path	C:WindowsINFinstall.vbs	VBS tunnel script
File Path	C:WindowsPLASystemGen.vbs	VBS tunnel script (key generation)
File Path	C:WindowsPLASystemKill.vbs	VBS tunnel script (kill SSH)
File Path	C:WindowsPLASystemRun.vbs	VBS tunnel script (run SSH)
File Path	C:WindowsPLASystemconhosts.exe	SSH executable
File Path	C:WindowsINFBITSesentprf.exe	SSH executable
IP Address	194.102.104[.]207	C2 / SSH tunnel server
IP Address	46.17.45[.]56	C2 / SSH tunnel server
IP Address	46.17.45[.]49	C2 / SSH tunnel server
IP Address	46.17.44[.]125	Tor client C2 server
IP Address	46.17.44[.]212	Tor client C2 server
IP Address	185.22.154[.]73	Tor client C2 server
IP Address	194.87.196[.]163	Tor client C2 server
IP Address	195.58.49[.]99	Tor client C2 server
IP Address	3.125.114[.]193	Tor client C2 server
IP Address	3.125.114[.]57	Tor client C2 server
IP Address	45.87.219[.]116	Tor client C2 server
IP Address	37.228.129[.]224	Tor client C2 server
IP Address	185.53.179[.]136	Tor client C2 server
IP Address	185.126.239[.]77	Tor client C2 server
IP Address	5.181.21[.]75	Tor client C2 server
IP Address	146.70.53[.]171	Tor client C2 server
IP Address	45.15.65[.]134	Tor client C2 server
IP Address	185.250.181[.]207	Tor client C2 server
IP Address	81.30.105[.]71	Tor client C2 server
Domain	tenkoff[.]org	Reverse SSH tunnel / SOCKS proxy domain
Domain	cloudguide[.]in	Reverse SSH tunnel / SOCKS proxy domain
Domain	goverru[.]com	Reverse SSH tunnel / SOCKS proxy domain
Domain	kufar[.]org	Reverse SSH tunnel / SOCKS proxy domain
Domain	ultimatecore[.]net	Reverse SSH tunnel / SOCKS proxy domain
Domain	spbnews[.]net	Reverse SSH tunnel / SOCKS proxy domain
Domain	onedrivesupport[.]net	Reverse SSH tunnel / SOCKS proxy domain
Domain	amerikastaj[.]com	Reverse SSH tunnel / SOCKS proxy domain
Domain	bigbang[.]me	Reverse SSH tunnel / SOCKS proxy domain
Domain	wizzifi[.]com	Malicious / compromised domain in Office docs
Domain	totallegacy[.]org	Malicious / compromised domain in Office docs
Domain	mamurjor[.]com	Malicious / compromised domain in Office docs
Domain	landscapeuganda[.]com	Malicious / compromised domain in Office docs
Domain	lafortunaitalian.co[.]uk	Malicious / compromised domain in Office docs
Domain	kommando[.]live	Malicious / compromised domain in Office docs
Domain	internationalcommoditiesllc[.]com	Malicious / compromised domain in Office docs
Domain	humanitas[.]si	Malicious / compromised domain in Office docs
Domain	fishingflytackle[.]com	Malicious / compromised domain in Office docs
Domain	firsai.tipshub[.]net	Malicious / compromised domain in Office docs
Domain	alnakhlah.com[.]sa	Malicious / compromised domain in Office docs
Domain	allgoodsdirect.com[.]au	Malicious / compromised domain in Office docs
Domain	agenciakharis.com[.]br	Malicious / compromised domain in Office docs
Domain	istochnik[.]org	Malicious / compromised domain in Office docs
Domain	znews[.]net	Malicious / compromised domain in Office docs
Domain	iinvestika-club[.]com	Malicious / compromised domain in Office docs
Domain	paleturquoise-dragonfly-364512.hostingersite[.]com	PowerShell payload hosting domain

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.