The advanced persistent threat group known as the Cloud Atlas APT has been observed deploying a highly deceptive technique to hijack corporate Windows environments. By manipulating core architecture components within the operating system, the threat actor can establish concurrent remote access channels without tipping off active users or network monitoring teams.

The group achieves this deep level of stealth by executing a custom termsrv.dll modification. This tactical adjustment effectively strips away the built-in single-user enforcement limits of Windows workstation editions. It enables threat actors to operate autonomously in the background while local employees continue their daily tasks completely uninterrupted, creating a significant obstacle for security teams trying to spot the intrusion.

Key Details

Active within the cyber espionage landscape since at least 2014, Cloud Atlas (also recognized under various industry tracking names) has markedly expanded its operational footprint. Over the past several quarters, threat analysts have tracked an aggressive surge in operations targeting government bodies, state institutions, and diplomatic agencies—with a strong geographic focus inside Russia and Belarus.

According to research published by Securelist, the adversary’s toolkit evolved substantially during the latter half of 2025 and into the first half of 2026. The group’s modern playbook seamlessly merges traditional spear-phishing lures with a resilient, multi-tiered infrastructure designed to prolong network residency.

The primary entry point typically begins with a weaponized email delivering a ZIP archive. Nestled inside is a malicious shortcut file (.lnk) that silently triggers a multi-stage infection chain upon execution. This sequence downloads a benign decoy PDF to placate the victim while simultaneously installing advanced backdoors like VBCloud and reconnaissance frameworks like PowerShower.

Technical Analysis

Once initial persistence is established inside an organization, Cloud Atlas operators move laterally across internal networks to execute their premier credential-less access mechanism.

The core of this strategy revolves around an advanced PowerShell utility designated as rdp_new.ps1. The script explicitly targets the Windows Remote Desktop service subsystem by modifying termsrv.dll, the library responsible for enforcing concurrent session licensing compliance.

Weaponized Phishing Attachment (.lnk via ZIP)
                     │
                     ▼
       PowerShell Download Script
                     │
                     ▼
          rdp_new.ps1 Executed
 ┌───────────────────┴───────────────────┐
 ▼                                       ▼
Disables Firewall/RDP Restrictions     Modifies termsrv.dll in Memory
                                         │
                                         ▼
                               Unlocks Multiple Concurrent 
                                  Stealth RDP Sessions

The script automates a precise sequence to bypass defensive protections:

1. Security Relaxation: It alters internal firewall properties and loosens security validation restrictions to allow incoming Remote Desktop Protocol (RDP) requests.
2. Privilege Takeover: The script forcefully assumes administrative ownership of the system’s local C:\Windows\System32\termsrv.dll file and rewrites its default access control permissions.
3. Binary Patching: It locates and alters a highly specific byte sequence within the compiled binary, effectively blinding the operating system’s awareness of concurrent session limits.
4. Service Cycle: The tool restarts the local TermService routing engine to instantly apply the modification.

By shifting this parameter, an external adversary can cleanly authentication into the compromised system over RDP. Because the native user’s active session isn’t forcibly disconnected or locked, both parties remain active on the system simultaneously, completely unaware of each other’s concurrent presence.

Layered Persistence via Outbound Tunnels

Recognizing that local host modifications are vulnerable to system updates, the Cloud Atlas APT layers its secondary fallback mechanisms using reverse SSH tunnels.

The compromised host initializes an outbound, encrypted SSH link to an actor-controlled command server (such as 194.102.104.207). Because this traffic originates internally, it naturally traverses standard enterprise firewall rules that block incoming connections. To ensure these tunnels survive system reboots, the group schedules automated Visual Basic Scripts (.vbs) via PsExec or PAExec to run continuously as persistent Windows Tasks.

Furthermore, the team incorporates RevSocks (a sophisticated Go-based reverse proxy engine) alongside localized Tor instances. This routes interactive desktop commands through hidden .onion address paths, completely obscuring the original source of the attack.

Impact and Risks

The business and operational risks associated with this technique are severe. Because the attack updates a legitimate, trusted Microsoft system library rather than executing an unverified third-party executable, basic file-integrity monitoring and application whitelisting solutions frequently fail to generate alerts.

By utilizing legitimate RDP channels over trusted network layers, Cloud Atlas operators can easily search local storage drives, harvest document repositories, and monitor administrator workflows without triggering standard behavioral alarms. The implementation of reverse SSH channels also ensures that even if a defense team discovers and kills the primary network backdoor, the threat actors retain alternative entry points to re-infect the environment.

Expert Recommendations

Defenders looking to neutralize this sophisticated access methodology should focus heavily on tracking unauthorized core system configuration changes:

• Audit System File Integrity: Configure advanced Endpoint Detection and Response (EDR) systems or file integrity monitors (FIM) to explicitly alert on any permission modifications or write attempts directed at C:\Windows\System32\termsrv.dll.
• Track Local Firewall Modifications: Establish centralized SIEM rules to flag any automated additions to the Windows Firewall schema, particularly rules that expose port 3389 or originate from PowerShell execution pathways.
• Monitor Unusual Outbound Sessions: Scrutinize internal enterprise workstations initiating unexpected outbound SSH connections or traffic routed toward known Tor relay infrastructures.
• Review Scheduled Tasks: Routinely audit local system registries for unfamiliar .vbs or .ps1 task configurations running from administrative folders like C:\Windows\INF\ or C:\Windows\PLA\.

Industry Context

The recent campaigns conducted by Cloud Atlas highlight a growing macro trend within the cyber espionage theater: living-off-the-land (LotL) tactics combined with binary manipulation. State-sponsored entities are increasingly avoiding custom-built malware payloads that easily trigger modern static signatures. Instead, they choose to modify the existing architecture of the host operating system to turn native administrative features into covert infiltration tools.

Conclusion

The modification of termsrv.dll by the Cloud Atlas APT group represents a highly calculated approach to maintaining network persistence. By turning a built-in remote management tool into a dual-use espionage channel, the group can reliably operate behind corporate perimeters for extended periods. Organizations must shift their focus toward continuous runtime monitoring, configuration integrity management, and behavioral analysis to expose these hidden channels before critical information is compromised.

FAQ SECTION

How does the Cloud Atlas APT group bypass the single-user RDP limit in Windows?

The group executes a specialized PowerShell script named rdp_new.ps1 that takes ownership of the native Windows termsrv.dll file. The script edits a specific internal byte sequence within the file to deactivate the single-session licensing check, allowing multiple users to connect simultaneously.

Why is this specific attack technique difficult for traditional security tools to detect?

This method is incredibly stealthy because it uses native Windows components instead of dropping an obviously malicious third-party program. Since termsrv.dll is a trusted system library, standard antivirus software may fail to flag the modification as an active threat.

Who are the primary targets of this recent Cloud Atlas campaign?

The recent wave of activity tracked throughout late 2025 and early 2026 is heavily concentrated on government institutions, public sector bodies, and international diplomatic organizations, particularly located within Russia and Belarus.

What are reverse SSH tunnels, and how does the group use them?

A reverse SSH tunnel is a connection that starts from inside the victim’s network and calls out to an external server controlled by the attacker. Cloud Atlas uses this setup to bypass corporate firewalls that block incoming traffic, creating a reliable backdoor into the company.

What actions should administrators take to verify if a system is compromised?

Administrators should run cryptographic integrity checks on the local termsrv.dll file, look for unexpected modifications to the Windows Firewall configuration, and audit Scheduled Tasks for unrecognized scripts running out of paths like C:\Windows\INF\ or C:\Windows\LiveKernelReports\.