Advanced Persistence and RDP Manipulation: Analyzing the Cloud Atlas Cyber Espionage Campaign
The Cloud Atlas advanced persistent threat (APT) group has significantly evolved its operational capabilities, introducing a sophisticated technique to manipulate the Windows termsrv.dll library. This modification allows the threat actor to bypass standard operating system restrictions, enabling multiple concurrent Remote Desktop Protocol (RDP) sessions on a single compromised host. This maneuver provides the attackers with a stable, high-access environment that remains largely invisible to legitimate users.
Observed spanning late 2025 and extending into 2026, this campaign demonstrates a strategic focus on government and commercial entities within Russia and Belarus. The group’s methodology is a hybrid of legacy exploits and modern, custom-tooled persistence mechanisms designed to evade contemporary EDR (Endpoint Detection and Response) solutions.
Initial access is frequently achieved through highly targeted phishing campaigns. In recent iterations, attackers have distributed ZIP archives containing malicious LNK (shortcut) files. Once a user interacts with these files, they silently trigger PowerShell scripts hosted on remote command-and-control (C2) infrastructure. In parallel, the group continues to leverage the Equation Editor vulnerability (CVE-2018-0802) to weaponize documents and pull down secondary payloads.
Upon execution, the initial PowerShell script establishes early-stage persistence by dropping a secondary loader, fixed.ps1, into the system’s temporary directory and modifying the Windows Registry to ensure execution during boot. To mask its presence, the script employs a “distraction” technique: it retrieves and displays a legitimate PDF document to the victim. While the user is occupied with the decoy, the script aggressively deletes forensic artifacts and prepares the environment for the primary payload.

fixed.ps1 payload module utilized by Cloud Atlas.The fixed.ps1 loader serves as a delivery vehicle for two distinct specialized backdoors: VBCloud and PowerShower.
- VBCloud: A dedicated data exfiltration implant. It deploys an encrypted payload,
video.mds, which is decrypted in memory via the RC4 algorithm and executed through a VBS loader. Its primary objective is the theft of sensitive document formats, including DOC, PDF, and XLS files. - PowerShower: A reconnaissance and lateral movement tool. This module performs extensive domain enumeration, executes remote PowerShell commands, and conducts Kerberoasting attacks to harvest Active Directory credentials. It also features a UAC bypass mechanism via
fodhelper.exe, allowing the attacker to gain elevated privileges and access the SAM and SECURITY registry hives through volume shadow copies.

A critical evolution in this campaign is the deployment of rdp_new.ps1. This script specifically targets the termsrv.dll library, which manages RDP session handling. By taking ownership of the file and altering specific byte sequences, the attackers can circumvent the Windows restriction on concurrent RDP logins. This allows them to maintain an active session without kicking legitimate administrators off the system, a key tactic for long-term stealth.
Technical Deep Dive: Persistence and Tunneling
To maintain a resilient connection to the internal network, Cloud Atlas utilizes a multi-layered tunneling architecture. They establish reverse SSH tunnels to bypass inbound firewall rules, often managing these via VBS scripts and PsExec. To further harden their presence, they may modify file permissions to prevent administrative users from accessing or removing their SSH keys.
The group has also been observed utilizing modified versions of OpenSSH, replacing standard cryptographic libraries with custom implementations to evade signature-based detection. Furthermore, they deploy RevSocks, a Go-based utility, to create proxy channels, and leverage Tor hidden services to route RDP traffic through anonymized onion domains.

In a shift toward “living off the cloud,” the attackers have introduced PowerCloud. This tool harvests administrative user data and exfiltrates it to Google Sheets using Base64 encoding, effectively hiding malicious traffic within legitimate HTTPS requests to trusted cloud services.
While some infrastructure overlaps with the Head Mare group, the specific TTPs (Tactics, Techniques, and Procedures) utilized here are uniquely Cloud Atlas. The combination of RDP library patching, cloud-based exfiltration, and sophisticated tunneling highlights a highly capable adversary. Organizations are advised to implement rigorous monitoring for unauthorized PowerShell execution, unexpected changes to system DLLs, and anomalous RDP connection patterns.