Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts

HomeCyber Security News Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts By Tushar Subhra Dutta May 25, 2026 A well-known advanced persistent threat group called Cloud Atlas has been caught using a dangerous technique to hijack Windows systems without alerting anyone on the network. Threatanalysis tools The group modifies a core Windows file called termsrv.dll to unlock multiple simultaneous Remote Desktop Protocol (RDP) sessions on a victim’s computer. This lets attackers work in the background while a legitimate user stays logged in, making detection much harder for security teams. Cloud Atlas has been active since at least 2014, and over the past year the group ramped up attacks against government agencies and diplomatic organizations, particularly in Russia and Belarus. Campaigns have grown more sophisticated, blending phishing tricks with new tools designed to stay hidden as long as possible. The group combines utilities like Tor, SSH, and RevSocks with custom malware to make detection especially difficult. Researchers at Securelist identified this latest wave of activity, noting the group’s toolkit expanded significantly in the second half of 2025 and into early 2026.  Securelist said in a report shared with Cyber Security News (CSN) that the attackers target state institutions and diplomatic bodies, using new and established techniques to maintain persistent access inside compromised networks. The initial entry point in most cases was a phishing email carrying a ZIP archive with a malicious shortcut file. When a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server. That script sets up persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads including a backdoor called VBCloud and a reconnaissance tool called PowerShower. Malware works (Source – Securelist) Once inside a network, the group moves laterally and executes the termsrv.dll modification. This lets them maintain access without forcing any existing user offline, reducing the chance anyone notices something is wrong. The attackers also set up reverse SSH tunnels as backup channels, so even if the main backdoor is found, they can still reach the compromised machine. Cloud Atlas APT Group Modifies termsrv.dll The key weapon in this campaign is a PowerShell script named rdp_new.ps1 that directly modifies termsrv.dll in Windows 10. Termsrv.dll controls how the Remote Desktop service behaves, and by default Windows limits the system to a single concurrent RDP session. The script first adds a firewall rule to allow RDP traffic and relaxes remote access security settings before touching the file. The script takes ownership of termsrv.dll, grants itself full access rights, and replaces a specific byte sequence to remove the single-session restriction. After the patch is applied, the RDP service restarts and the change takes effect. Attackers can then connect remotely while the legitimate user continues working, with neither party disrupting the other. This technique is dangerous because it targets a trusted Windows system file rather than an obviously suspicious third-party tool. A PowerShell script loaded by a shortcut (Source – Securelist) Standard monitoring may not flag changes to an existing system DLL, giving attackers a wide window to operate inside an infected host without raising alarms. Reverse SSH Tunnels and Layered Persistence Cloud Atlas layers its access by deploying reverse SSH tunnels alongside the RDP manipulation. A compromised machine initiates an outbound SSH connection to an attacker-controlled server, bypassing most firewall rules that block incoming connections. Since the connection starts from inside the network, it appears as normal outbound traffic to many security monitoring systems. To keep tunnels running, the group uses VBS scripts executed through PAExec or PsExec and schedules them as Windows tasks for automatic restarting. In some cases, the group also deployed RevSocks, a Go-based proxy tool, and used Tor to route RDP access through hidden .onion addresses. These layered channels mean removing one access method does not guarantee the attackers are fully evicted. PowerCloud Script (Source – Securelist) Security teams should monitor for unexpected changes to termsrv.dll, review Windows Firewall modifications, and audit scheduled tasks for unfamiliar VBS or PowerShell entries. Watching for unusual outbound SSH connections and blocking known malicious domains at the network perimeter are also critical steps in reducing exposure to this ongoing threat. Indicators of Compromise (IoCs):- Type Indicator Description MD5 Hash 1A11B26DD0261EF27A112CE8B361C247 rdp_new.ps1 — termsrv.dll modification script MD5 Hash 5329F7BFF9D0D5DB28821B86C26D628F Browser checker script compiled via PS2EXE File Path C:\Users[username]\Pictures\googleearth.ps1 PowerShower persistence path File Path C:\Windows\wininet.exe PowerCloud malware path File Path C:\Windows\LiveKernelReports\update.exe PowerCloud malware path File Path C:\Windows\ime\imejp\dicts\i39884.exe PowerCloud malware path File Path C:\Windows\pla\reports.exe PowerCloud malware path File Path C:\Windows\pla\reports\winlog.exe PowerCloud malware path File Path C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe PowerCloud / RevSocks path File Path C:\Windows\branding\scat.exe PowerCloud malware path File Path C:\Windows\PLA\System\bounce.exe RevSocks malware path File Path C:\ProgramData\hp\client.exe RevSocks malware path File Path C:\Windows\INF\Run.vbs VBS tunnel script File Path C:\Windows\INF\install.vbs VBS tunnel script File Path C:\Windows\PLA\System\Gen.vbs VBS tunnel script (key generation) File Path C:\Windows\PLA\System\Kill.vbs VBS tunnel script (kill SSH) File Path C:\Windows\PLA\System\Run.vbs VBS tunnel script (run SSH) File Path C:\Windows\PLA\System\conhosts.exe SSH executable File Path C:\Windows\INF\BITS\esentprf.exe SSH executable IP Address 194.102.104[.]207 C2 / SSH tunnel server IP Address 46.17.45[.]56 C2 / SSH tunnel server IP Address 46.17.45[.]49 C2 / SSH tunnel server IP Address 46.17.44[.]125 Tor client C2 server IP Address 46.17.44[.]212 Tor client C2 server IP Address 185.22.154[.]73 Tor client C2 server IP Address 194.87.196[.]163 Tor client C2 server IP Address 195.58.49[.]99 Tor client C2 server IP Address 3.125.114[.]193 Tor client C2 server IP Address 3.125.114[.]57 Tor client C2 server IP Address 45.87.219[.]116 Tor client C2 server IP Address 37.228.129[.]224 Tor client C2 server IP Address 185.53.179[.]136 Tor client C2 server IP Address 185.126.239[.]77 Tor client C2 server IP Address 5.181.21[.]75 Tor client C2 server IP Address 146.70.53[.]171 Tor client C2 server IP Address 45.15.65[.]134 Tor client C2 server IP Address 185.250.181[.]207 Tor client C2 server IP Address 81.30.105[.]71 Tor client C2 server Domain tenkoff[.]org Reverse SSH tunnel / SOCKS proxy domain Domain cloudguide[.]in Reverse SSH tunnel / SOCKS proxy domain Domain goverru[.]com Reverse SSH tunnel / SOCKS proxy domain Domain kufar[.]org Reverse SSH tunnel / SOCKS proxy domain Domain ultimatecore[.]net Reverse SSH tunnel / SOCKS proxy domain Domain spbnews[.]net Reverse SSH tunnel / SOCKS proxy domain Domain onedrivesupport[.]net Reverse SSH tunnel / SOCKS proxy domain Domain amerikastaj[.]com Reverse SSH tunnel / SOCKS proxy domain Domain bigbang[.]me Reverse SSH tunnel / SOCKS proxy domain Domain wizzifi[.]com Malicious / compromised domain in Office docs Domain totallegacy[.]org Malicious / compromised domain in Office docs Domain mamurjor[.]com Malicious / compromised domain in Office docs Domain landscapeuganda[.]com Malicious / compromised domain in Office docs Domain lafortunaitalian.co[.]uk Malicious / compromised domain in Office docs Domain kommando[.]live Malicious / compromised domain in Office docs Domain internationalcommoditiesllc[.]com Malicious / compromised domain in Office docs Domain humanitas[.]si Malicious / compromised domain in Office docs Domain fishingflytackle[.]com Malicious / compromised domain in Office docs Domain firsai.tipshub[.]net Malicious / compromised domain in Office docs Domain alnakhlah.com[.]sa Malicious / compromised domain in Office docs Domain allgoodsdirect.com[.]au Malicious / compromised domain in Office docs Domain agenciakharis.com[.]br Malicious / compromised domain in Office docs Domain istochnik[.]org Malicious / compromised domain in Office docs Domain znews[.]net Malicious / compromised domain in Office docs Domain iinvestika-club[.]com Malicious / compromised domain in Office docs Domain paleturquoise-dragonfly-364512.hostingersite[.]com PowerShell payload hosting domain Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers 3 Tactics Elite SOCs Use to Operationalize Threat Intelligence FreePBX Vulnerability Allow Attackers to Gain Access to User Portals CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository Latest News Cyber Security News Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation Cyber Attack News Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets Cyber Security News Hackers Abuse Shared CDN Infrastructure to Bypass Domain Reputation Security Controls Cyber Attack News KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM Web Shell Cyber Security News Iranian APT Uses SEO Poisoning to Deliver Fake SQL Developer Malware Installer