Stealthy Cyber Espionage Tactics of Cloud Atlas APT Group
A sustained cyber espionage campaign attributed to the notorious Cloud Atlas advanced persistent threat (APT) group has recently unveiled a sophisticated technique that modifies the Windows termsrv.dll library. This modification facilitates multiple Remote Desktop Protocol (RDP) sessions on compromised systems, enhancing the intruders’ ability to maintain covert access to targeted networks.
Targets and Methodologies
This campaign has been observed primarily targeting government and commercial entities within Russia and Belarus, ongoing since 2025 and extending into 2026. These attacks blend traditional exploits with newer, innovative tools and persistent mechanisms, showcasing the group’s adaptability and technical prowess.
Upon infiltrating a target system, the attackers execute shortcuts that trigger PowerShell scripts that reside on remote infrastructure. Alongside this, they weaponize documents by exploiting the Equation Editor vulnerability (CVE-2018-0802) to download additional malicious payloads. This diverse approach illustrates the group’s capability to leverage both existing vulnerabilities and advanced scripting techniques.
Further investigation reveals that once executed, the PowerShell scripts establish early persistence by storing a secondary payload named fixed.ps1 in the system’s temporary directory. The scripts then configure autorun settings via the Windows registry. In a deliberate act of obfuscation, the scripts also retrieve a decoy archive and extract a benign-looking PDF document to present to the victim. This tactic distracts the user while simultaneously deleting any forensic artifacts and launching the principal malicious payload.
Utilities and Backdoors
The fixed.ps1 loader is a strategic delivery mechanism for two significant backdoors: VBCloud and PowerShower. The VBCloud component functions as a file-stealing implant, deploying an encrypted payload (video.mds) that is decrypted in memory using the RC4 encryption algorithm. This information-gathering operation focuses on exfiltrating sensitive documents, including but not limited to DOC, PDF, and XLS files, to servers controlled by the attackers.
PowerShower, on the other hand, is tailored for reconnaissance and lateral movement within targeted networks. This backdoor collects essential system and domain information, executes remote PowerShell commands, and even performs Kerberoasting attacks aimed at extracting Active Directory credentials. Additionally, it incorporates a credential harvesting module that utilizes a User Account Control (UAC) bypass through fodhelper.exe to gain elevated privileges, thus providing access to the SAM and SECURITY registry hives.
Evolution and Procedural Enhancements
Cloud Atlas, which has been operating since 2014, continues to rely heavily on phishing emails as its primary vector for initial access. Recent campaigns have featured ZIP archives that contain malicious LNK shortcut files, showcasing an evolution in their operational methodology. A notable addition to their tools is rdp_new.ps1, a PowerShell script specifically designed to modify the Windows termsrv.dll file. By manipulating this critical library, which governs RDP session handling and restricts concurrent logins, the attackers can take ownership of the file, alter specific byte sequences, and restart the RDP service. This action allows for multiple simultaneous RDP sessions, granting the attackers hidden access without disrupting legitimate users—an approach that significantly diminishes the chances of detection.
To strengthen their persistence, Cloud Atlas employs various tunneling techniques to navigate around firewalls and other security barriers. They establish reverse SSH tunnels from compromised hosts to attacker-controlled servers, utilizing VBS scripts executed via tools like PsExec, while scheduled tasks ensure these operations remain functional over time. In certain instances, they even modify file permissions to protect SSH keys from being accessed by administrative users.
Advanced Implementation Techniques
Moreover, modified versions of OpenSSH have been identified, where standard cryptographic libraries have been swapped with custom-built versions to evade detection. The attackers also utilize RevSocks, a Go-based tunneling utility designed to create proxy channels within internal networks. This is complemented by the implementation of Tor hidden services, which allow for further covert access by exposing compromised systems through onion domains, facilitating RDP connections over anonymized infrastructures.
In another significant development, a newly identified tool dubbed PowerCloud has emerged. This tool is responsible for gathering administrative user data and exfiltrating it to Google Sheets in a Base64-encoded format, illustrating the group’s shift towards leveraging legitimate cloud services for data staging and exfiltration.
Conclusion
Telemetry indicates that the campaign is increasingly targeting government and diplomatic organizations, a focus that aligns with Cloud Atlas’s historical activities. Although some overlaps with the Head Mare group’s infrastructure have been reported, the tactics and tools employed by Cloud Atlas remain distinctly separate.
The ongoing use of publicly available tools like SSH, Tor, and RevSocks, combined with their advanced RDP manipulation techniques, reflects an ongoing evolution of the Cloud Atlas group. This layered approach to persistence complicates detection and remediation efforts, highlighting an urgent need for organizations to monitor system libraries, scrutinize PowerShell activities, and detect unauthorized remote access configurations.