Cloud Atlas patches Windows termsrv.dll to keep hidden RDP access on victim hosts
8 min. read 
Published on
Cloud Atlas is using a stealthy Windows technique that patches termsrv.dll to allow multiple Remote Desktop Protocol sessions on compromised systems. The change lets attackers stay connected through RDP while the legitimate user remains logged in, reducing the chance that the victim notices the intrusion.
The activity comes from a recent Securelist report on Cloud Atlas operations in the second half of 2025 and early 2026. Kaspersky researchers said the group targeted public-sector and diplomatic organizations in Russia and Belarus while adding new persistence and tunneling methods to its toolset.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Cloud Atlas, also known as Inception, has operated as a cyber-espionage group since at least 2014. MITRE ATT&CK tracks the group as G0100 and says it has targeted government entities and several industries across Russia, Europe, Asia, Africa, the Middle East, and the United States.
Why the termsrv.dll patch matters
RDP gives users an interactive remote session on another Windows system. Microsoft describes Remote Desktop Protocol as the protocol used for communication between a Terminal Server and a Terminal Server Client, with data encapsulated and encrypted within TCP.
Cloud Atlas is not simply using RDP after stealing credentials. Researchers found that the attackers patched the Windows termsrv.dll library so Windows 10 systems could accept multiple concurrent sessions.
That matters because a normal user may continue working while the attacker connects separately in the background. The victim does not get kicked out, and defenders may not see the same obvious signs that appear when a user loses a session unexpectedly.
Key details at a glance
| Item | Details |
|---|---|
| Threat actor | Cloud Atlas, also known as Inception |
| Campaign period | Second half of 2025 into early 2026 |
| Main targets | Public-sector and diplomatic organizations, especially in Russia and Belarus |
| Initial access | Phishing emails with ZIP archives containing malicious LNK files |
| Notable technique | Patching termsrv.dll to allow multiple RDP sessions |
| Other tools | Reverse SSH tunnels, RevSocks, Tor, VBCloud, PowerShower, and PowerCloud |
| Main risk | Stealthy persistence, lateral movement, credential theft, and long-term espionage |
How the attack begins
The latest campaign starts with phishing. Cloud Atlas sends ZIP archives that contain malicious shortcut files. When a victim opens the LNK file, it launches a PowerShell script from an external resource.
The script then prepares the system for later stages. It creates persistence, drops a decoy PDF to distract the user, removes initial infection traces, and launches additional payloads.
This is not a completely new playbook for the group. A previous Securelist analysis from December 2025 described Cloud Atlas using phishing documents, the Microsoft Office Equation Editor vulnerability CVE-2018-0802, VBShower, PowerShower, VBCloud, and the CloudAtlas backdoor.
What rdp_new.ps1 does to Windows
The most notable new element is a PowerShell script named rdp_new.ps1. Kaspersky says the script patches termsrv.dll, the core Windows library that enforces Remote Desktop Services rules.
The script first enables RDP through the firewall and weakens RDP security settings. It then takes ownership of termsrv.dll, grants itself full permissions, finds a specific byte sequence, replaces it with another byte sequence, and restarts the RDP service.
The result is a system that allows more than one RDP session at the same time. This gives attackers a way to stay logged in without disrupting the legitimate user.
Reverse SSH tunnels create backup access
The termsrv.dll patch is only one part of the persistence strategy. Cloud Atlas also deploys reverse SSH tunnels so compromised machines initiate outbound connections to attacker-controlled servers.
That helps the attackers bypass firewall rules that block inbound connections. Once the infected host connects outward, the attacker can use that tunnel as a backup control channel.
The Kaspersky report also says the group used VBS scripts through PAExec or PsExec to install and manage SSH tunnels. In some cases, the attackers added scheduled tasks so the tunnel restarted automatically.
RevSocks and Tor add more layers
Cloud Atlas also used RevSocks, a Go-based tunneling and proxy tool. This lets attackers connect to workstations inside the local network and use compromised machines as gateways into other segments.
The group also used Tor in some cases. Kaspersky found that a minimal Tor package was copied to system directories, making infected machines reachable through generated .onion addresses.
These layers make cleanup harder. Removing one backdoor or tunnel may not evict the attackers if another access route remains active.
PowerCloud expands the groupโs toolset
The campaign also introduced PowerCloud, a new Cloud Atlas tool written as an obfuscated PowerShell script and often packaged into an executable with PS2EXE.
Kaspersky says PowerCloud collects user data with administrator privileges and writes information to Google Sheets in Base64 format. That gives the group another way to exfiltrate information through services that may look less suspicious in network traffic.
The wider toolkit shows how Cloud Atlas blends custom malware, Windows scripting, public tools, and cloud services to maintain access inside targeted networks.
What defenders should monitor
Defenders should treat unexpected RDP behavior as a high-priority signal. A user remaining active while another session starts on the same workstation should trigger review, especially on endpoints that do not normally allow concurrent sessions.
Windows file-integrity monitoring can also help. A changed termsrv.dll on a workstation should not be ignored, especially if the system also shows new firewall rules, new scheduled tasks, or suspicious PowerShell activity.
Organizations should also watch for unusual outbound SSH connections. Attackers used those tunnels as backup access, so blocking only inbound RDP will not remove the risk.
Indicators worth checking
| Indicator type | Indicator |
|---|---|
| PowerShell script hash | 1A11B26DD0261EF27A112CE8B361C247 |
| Script name | rdp_new.ps1 |
| Modified Windows file | termsrv.dll |
| PowerShower path | C:\Users\[username]\Pictures\googleearth.ps1 |
| PowerCloud path | C:\Windows\wininet.exe |
| RevSocks path | C:\Windows\PLA\System\bounce.exe |
| SSH executable path | C:\Windows\PLA\System\conhosts.exe |
| Reverse SSH domain | tenkoff[.]org |
Recommended security actions
- Check the integrity and timestamp of termsrv.dll on sensitive Windows hosts.
- Review RDP configuration changes, firewall rule changes, and Remote Desktop service restarts.
- Alert on multiple concurrent RDP sessions on systems that should not support them.
- Audit scheduled tasks for unfamiliar VBS, PowerShell, SSH, Tor, or proxy-related entries.
- Inspect outbound SSH connections from workstations and servers that do not normally use SSH.
- Block known malicious domains and IP addresses from the campaign at the network perimeter.
- Hunt for PAExec or PsExec activity tied to tunnel deployment.
- Limit RDP access through jump hosts, VPN, MFA, and network segmentation.
How this maps to known Cloud Atlas behavior
The campaign fits Cloud Atlasโ long-running espionage profile. The group has used spearphishing, PowerShell, VBScript, credential theft, cloud services, and proxy infrastructure in earlier operations.
MITRE lists techniques linked to Inception, including PowerShell execution, Visual Basic scripts, credential access from password stores, spearphishing attachments, malicious files, and cloud-based command-and-control activity.
The latest activity adds a stronger post-compromise access layer. Instead of relying only on malware implants, the group modifies a trusted Windows component and combines that change with SSH, RevSocks, and Tor.
Why RDP hardening alone is not enough
RDP controls still matter. Administrators should restrict exposure, require strong authentication, review logs, and block unnecessary remote access paths.
However, this campaign shows that attackers with administrative access can alter the host itself. A hardened RDP gateway will not help if a compromised workstation quietly changes local Remote Desktop behavior and maintains outbound tunnels.
Microsoftโs RDP documentation explains the protocolโs role in transferring input and display data over TCP. Cloud Atlas abuses that legitimate remote-access model after compromise, which makes behavior monitoring and file-integrity checks essential.
The bigger picture
Cloud Atlas has operated for more than a decade, and its latest activity shows steady adaptation rather than a sudden change in mission. The group still focuses on espionage, but it now uses more layered access methods to survive cleanup attempts.
The earlier 2025 Cloud Atlas report showed the group updating old tools and adding new implants. The 2026 campaign continues that pattern with multi-session RDP, reverse tunnels, and PowerCloud.
For defenders, the main lesson is simple. Do not treat RDP abuse only as a login problem. In this campaign, Cloud Atlas changes the Windows RDP service behavior itself, then uses several backup channels to stay inside the network.
FAQ
Cloud Atlas, also known as Inception, is a cyber-espionage group active since at least 2014. It has targeted government entities, diplomatic organizations, and several industries across multiple regions.
Cloud Atlas used a PowerShell script named rdp_new.ps1 to patch termsrv.dll on Windows 10 systems. The change allowed multiple concurrent RDP sessions, letting attackers stay connected without disconnecting the legitimate user.
Multi-session RDP lets an attacker operate in the background while the real user remains logged in. This reduces visible disruption and can make the compromise harder to notice.
The group uses several backup access methods, including reverse SSH tunnels, RevSocks, Tor hidden services, scheduled tasks, and malware such as VBCloud, PowerShower, and PowerCloud.
Defenders should monitor termsrv.dll integrity, unusual RDP session behavior, Remote Desktop service restarts, new firewall rules, suspicious scheduled tasks, outbound SSH tunnels, and known Cloud Atlas file paths or domains.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages