Meta Description
The Cloud Atlas APT group modifies termsrv.dll to enable stealth RDP persistence, hidden remote access, credential theft, and enterprise lateral movement.
Introduction
The Cloud Atlas APT modifies termsrv.dll campaign is rapidly becoming one of the most sophisticated cyber espionage operations observed in 2026. Security researchers uncovered a stealth focused intrusion chain where the Cloud Atlas advanced persistent threat group modifies the Windows termsrv.dll library to enable hidden concurrent Remote Desktop Protocol sessions on compromised systems.
The Cloud Atlas APT modifies termsrv.dll technique matters because it allows attackers to maintain covert long term access to compromised enterprise environments without disrupting legitimate user activity.
Researchers observed the campaign targeting:
• Government organizations
• Diplomatic entities
• Commercial enterprises
• Critical infrastructure
• Administrative workstations
• Active Directory environments
• Hybrid enterprise networks
The attackers reportedly combined:
• Phishing campaigns
• Malicious LNK files
• PowerShell payloads
• SSH tunneling
• Tor hidden services
• Credential theft
• Remote desktop manipulation
• Lateral movement operations
One of the most alarming aspects of the campaign involves direct modification of the Windows termsrv.dll file, the core Remote Desktop Services library responsible for managing RDP sessions.
By patching termsrv.dll, the attackers enabled multiple simultaneous RDP sessions on victim systems while keeping legitimate users logged in normally.
This dramatically reduces detection opportunities.
As an independent cybersecurity blogger and part time penetration tester, the Cloud Atlas APT modifies termsrv.dll operation stands out because it reflects a growing trend in advanced intrusion operations.
Modern threat actors are no longer relying only on malware persistence.
They are increasingly modifying trusted operating system components directly.
What Happened
How Cloud Atlas Modified termsrv.dll
Researchers tracking Cloud Atlas activity throughout late 2025 and early 2026 identified new persistence mechanisms involving direct tampering with Windows Remote Desktop Services components.
The Cloud Atlas APT group, active since at least 2014, has historically focused on cyber espionage campaigns targeting Eastern Europe and Central Asia.
The latest campaigns reportedly targeted:
• Russia
• Belarus
• Government agencies
• Diplomatic structures
• Commercial organizations
The attackers primarily used phishing emails delivering:
• ZIP archives
• Malicious LNK files
• Weaponized Office documents
• CVE 2018 0802 exploits
The infection chain begins when victims execute malicious shortcuts or exploit documents.
Researchers observed the malware deploying several payloads including:
• VBCloud
• PowerShower
• PowerCloud
• Reverse SSH tunneling tools
• RevSocks proxy tooling
• Tor hidden services
After establishing initial access, the attackers executed a PowerShell script named:
rdp_new.ps1
This script modified the Windows termsrv.dll library directly.
Researchers explained the script:
• Takes ownership of termsrv.dll
• Alters specific byte sequences
• Restarts Remote Desktop Services
• Enables concurrent RDP sessions
• Maintains hidden attacker access
Normally, Windows client systems restrict multiple simultaneous RDP sessions.
Cloud Atlas bypassed this restriction entirely.
This allowed attackers to maintain stealthy remote access without disconnecting active users.
Technical Analysis
How the Cloud Atlas APT Modifies termsrv.dll
The Cloud Atlas APT modifies termsrv.dll attack chain demonstrates advanced persistence and stealth techniques.
Initial Access
The attackers primarily relied on phishing campaigns.
Victims received:
• Malicious ZIP archives
• Weaponized Office documents
• Malicious LNK shortcuts
• Exploit based payloads
Researchers also observed continued exploitation of:
CVE 2018 0802
This is an older Microsoft Office Equation Editor vulnerability capable of enabling remote code execution without user interaction.
PowerShell Loader Execution
Once executed, the malicious LNK or exploit payload launched PowerShell scripts hosted on attacker infrastructure.
The loader performed several actions:
• Registry persistence
• Payload deployment
• Process cleanup
• EDR disruption
• Decoy PDF display
• Malware installation
Researchers noted the malware deletes forensic artifacts aggressively to reduce visibility.
termsrv.dll Modification
The most important technique involves direct modification of:
%SystemRoot%\System32\termsrv.dll
This DLL controls Windows Remote Desktop Services behavior.
Cloud Atlas used PowerShell scripts to:
• Stop Terminal Services
• Take ownership of termsrv.dll
• Modify binary byte sequences
• Re enable RDP services
• Allow concurrent hidden sessions
This mirrors legitimate multi session patching tools often used to bypass Windows client RDP limitations.
However, Cloud Atlas weaponized the technique for covert persistence.
Why This Technique Is Dangerous
Normally, Windows logs out active users when new RDP sessions occur on workstation editions.
By patching termsrv.dll, attackers avoid:
• User disconnection alerts
• Session takeover visibility
• Obvious user disruption
• Standard RDP limitations
This enables stealthy long term access.
Attack Chain
A realistic Cloud Atlas APT modifies termsrv.dll attack chain may involve:
- Phishing email delivery
- Malicious LNK execution
- PowerShell payload deployment
- Persistence establishment
- Credential harvesting
- termsrv.dll modification
- Hidden RDP session enablement
- Reverse SSH tunnel creation
- Active Directory reconnaissance
- Enterprise lateral movement
This attack chain is highly stealth focused.
Reverse SSH and Tor Persistence
Researchers observed Cloud Atlas using:
• Reverse SSH tunnels
• Modified OpenSSH binaries
• RevSocks proxies
• Tor hidden services
These methods allow attackers to maintain resilient remote access while bypassing inbound firewall restrictions.
Credential Theft and Reconnaissance
The PowerShower malware component performs:
• Active Directory reconnaissance
• Kerberoasting attacks
• Process enumeration
• SAM database dumping
• Credential harvesting
• Administrator discovery
Researchers observed UAC bypass abuse involving:
fodhelper.exe
This allowed elevated privilege execution silently.
Threat Actor Tactics
The Cloud Atlas APT modifies termsrv.dll campaign combines:
• Remote code execution
• Persistence mechanisms
• SSH tunneling
• Credential theft
• RDP manipulation
• Active Directory targeting
• Living off the land techniques
• Cloud service abuse
The operation demonstrates advanced operational maturity.
Security Implications
The campaign highlights a major cybersecurity problem.
Attackers increasingly modify trusted Windows components directly instead of deploying noisy malware.
This dramatically complicates detection.
Why This Issue Matters
Why the Cloud Atlas APT Modifies termsrv.dll Campaign Matters
The Cloud Atlas APT modifies termsrv.dll operation creates serious risks for enterprise environments.
Enterprise Risks
Successful compromise may expose:
• Active Directory infrastructure
• Administrative credentials
• Internal systems
• Government networks
• Diplomatic communications
• Sensitive enterprise data
Stealth Persistence Risks
The modified termsrv.dll technique allows attackers to:
• Maintain hidden RDP sessions
• Avoid disconnecting users
• Reduce visibility
• Persist long term
• Evade standard monitoring
Identity Security Risks
Researchers observed attacks targeting:
• Domain controllers
• Kerberos authentication
• Administrative accounts
• Privileged users
• Credential stores
Operational Risks
A successful intrusion may lead to:
• Long term espionage
• Credential compromise
• Internal reconnaissance
• Lateral movement
• Persistent remote access
• Security monitoring bypass
Cloud Security Risks
Cloud Atlas also leveraged:
• Google Sheets exfiltration
• SSH tunneling
• Cloud hosted payloads
• Tor infrastructure
This increases hybrid environment exposure.
Potential Attack Scenarios
Hidden RDP Persistence
Attackers modify termsrv.dll and maintain covert RDP sessions while employees continue working normally.
Government Network Espionage
Threat actors harvest diplomatic documents and exfiltrate sensitive data through SSH tunnels.
Active Directory Compromise
PowerShower performs Kerberoasting attacks and extracts administrative credentials.
Hybrid Enterprise Pivot
Compromised systems connect outbound through reverse SSH tunnels and Tor hidden services.
Stealthy Long Term Persistence
Modified RDP services provide attackers with persistent access for months without obvious disruption.
Detection and Monitoring Strategies
How to Detect Cloud Atlas termsrv.dll Modification Activity
Organizations should strengthen visibility around RDP infrastructure immediately.
Logging Recommendations
Monitor:
• termsrv.dll modifications
• RDP service restarts
• Concurrent RDP sessions
• Reverse SSH tunnels
• PowerShell execution
• Registry persistence changes
EDR Monitoring
EDR platforms should detect:
• Unauthorized DLL modification
• takeown.exe usage
• icacls.exe abuse
• Service modification behavior
• PowerShell persistence
• UAC bypass activity
SIEM Correlation
SOC teams should create detections for:
• termsrv.dll hash changes
• Hidden RDP sessions
• Reverse SSH activity
• Tor connectivity
• Kerberoasting indicators
• Suspicious RDP behavior
Threat Hunting Guidance
Threat hunters should search for:
• Modified termsrv.dll hashes
• Unexpected RDP sessions
• Reverse SOCKS tunnels
• PowerShower artifacts
• PowerCloud indicators
• Registry persistence mechanisms
Identity Security Monitoring
Monitor for:
• Kerberos abuse
• Privilege escalation
• Administrative enumeration
• Credential theft
• Session hijacking
• Unusual domain authentication activity
Mitigation Recommendations
How to Mitigate Cloud Atlas termsrv.dll Attacks
Organizations should immediately strengthen RDP security controls.
Recommended Security Actions
• Restrict RDP exposure aggressively
• Monitor termsrv.dll integrity continuously
• Block unauthorized PowerShell execution
• Harden Active Directory environments
• Enable MFA everywhere possible
• Monitor reverse SSH tunnels
• Restrict outbound SSH traffic
• Harden endpoint telemetry collection
• Monitor concurrent RDP sessions
• Conduct threat hunting operations
• Audit administrative privileges
• Restrict local administrator access
• Harden phishing protections
• Expand SIEM visibility
• Implement Zero Trust architecture
• Conduct incident response exercises
Additional Security Measures
Organizations should also:
• Deploy application allowlisting
• Restrict DLL modifications
• Audit RDP configurations
• Harden endpoint protection policies
• Improve PowerShell logging
• Expand identity monitoring coverage
Why Cybersecurity Teams Should Pay Attention
The Cloud Atlas APT modifies termsrv.dll campaign reflects a major evolution in advanced threat behavior.
Attackers increasingly target:
• Trusted operating system components
• RDP infrastructure
• Authentication systems
• Administrative workflows
• Endpoint visibility gaps
• Active Directory environments
• Persistence mechanisms
• Hybrid enterprise infrastructure
The reason is simple.
Trusted Windows components provide stealth.
The campaign also demonstrates why Zero Trust principles matter for internal infrastructure.
Organizations cannot blindly trust:
• RDP services
• Windows DLLs
• Administrative tools
• PowerShell execution
• Internal remote access
Trust must be continuously validated.
Key Takeaway
The Cloud Atlas APT modifies termsrv.dll campaign demonstrates how advanced threat actors increasingly weaponize legitimate Windows functionality for stealth persistence and long term espionage.
Researchers observed Cloud Atlas modifying the Windows Remote Desktop Services library to enable covert concurrent RDP sessions while maintaining persistence through reverse SSH tunnels, Tor hidden services, and credential theft operations.
The campaign reinforces several major cybersecurity realities:
• RDP remains a high value attack surface
• Trusted Windows components can become persistence mechanisms
• PowerShell remains heavily abused
• Identity systems remain prime targets
• Reverse SSH tunnels reduce visibility
• Threat hunting is increasingly critical
Organizations should prioritize:
• RDP hardening
• termsrv.dll integrity monitoring
• PowerShell visibility
• Active Directory security
• Threat hunting
• Zero Trust enforcement
• Endpoint telemetry
• Incident response readiness
Modern cybersecurity increasingly depends on detecting attackers modifying the operating system itself.
