Listen to this Post
Introduction
The Cloud Atlas advanced persistent threat group has significantly intensified its cyberespionage operations across 2025 and early 2026, focusing heavily on government institutions and diplomatic entities in Russia and Belarus. Recent findings reveal a notable evolution in its tactics, especially in how the group maintains stealth, persistence, and long-term access inside compromised environments. By combining phishing-driven intrusion chains, legacy vulnerability exploitation, and deep system-level modifications such as tampering with Windows Remote Desktop Protocol components, Cloud Atlas demonstrates a highly adaptive and technically mature espionage framework designed to evade modern security defenses.
Summary of the Original
The Cloud Atlas APT group has expanded its cyberespionage activity during 2025 and early 2026, primarily targeting government and diplomatic sectors in Russia and Belarus with increasingly sophisticated attack chains. The group begins its operations using phishing campaigns that deliver ZIP archives containing malicious LNK shortcut files, which serve as initial execution vectors. In parallel, it leverages exploit documents targeting CVE-2018-0802, a known Microsoft Office Equation Editor vulnerability, enabling remote code execution without user interaction. Once inside a system, the malware establishes persistence through Windows Registry Run keys, drops decoy PDF files to distract victims, and disables or terminates security-relevant processes such as WinRAR to reduce detection chances. The intrusion chain includes cleanup routines designed to erase forensic traces and interfere with endpoint detection and response systems. After establishing foothold, Cloud Atlas deploys multiple payloads including VBCloud, a VBS-based information stealer that decrypts payloads in memory and exfiltrates sensitive documents such as DOC, PDF, and XLS files to command-and-control servers. Another key component, PowerShower, is used for reconnaissance, collecting system data such as running processes, Active Directory structures, domain controllers, and administrative group details. The attackers also bypass User Account Control mechanisms using fodhelper.exe to extract password hashes from SAM files via volume shadow copies. One of the most significant developments in their recent operations is the manipulation of the Windows Remote Desktop Protocol service through modifications of the termsrv.dll file, enabling hidden concurrent RDP sessions beyond normal Windows limitations. This includes taking ownership of system files, modifying firewall rules, and altering memory structures to enable stealth remote access. To maintain long-term persistence, the group employs multiple redundant tunneling techniques, including reverse SSH tunnels created through VBS scripts, modified OpenSSH binaries with malicious DLL injection, and proxy-based routing using RevSocks and Tor hidden services. In more advanced cases, they deploy PowerCloud, a PowerShell-based tool that collects administrative credentials and exfiltrates them via Google Sheets using encoded formats. These combined techniques reflect a highly structured and evolving cyberespionage operation designed to maintain stealth, persistence, and control over compromised systems.
What Undercode Say:
Cloud Atlas is not just refining intrusion methods, it is reshaping how persistent access is maintained in modern Windows environments.
The modification of termsrv.dll represents a dangerous shift from user-level malware to deep system service manipulation.
This technique allows attackers to effectively rewrite how Remote Desktop behaves, bypassing built-in Windows restrictions.
Such persistence mechanisms are significantly harder to detect because they operate at core system component level.
Phishing remains the entry point, showing that even advanced groups still rely on human vulnerability as the weakest link.
The continued use of CVE-2018-0802 demonstrates how legacy vulnerabilities still fuel modern cyber operations.
Once inside, Cloud Atlas focuses heavily on disabling visibility tools rather than immediate destructive payloads.
The use of decoy PDFs highlights psychological manipulation designed to reduce user suspicion.
Memory-based payload execution reduces forensic traces, complicating incident response efforts.
VBCloud shows strong emphasis on document exfiltration, indicating intelligence-driven objectives.
PowerShower expands the operational picture by mapping internal enterprise structures for lateral movement.
The abuse of fodhelper.exe confirms ongoing reliance on legitimate Windows binaries for privilege escalation.
This reflects a broader trend of living-off-the-land techniques in modern APT campaigns.
The integration of reverse SSH tunnels demonstrates strong operational flexibility under restrictive network conditions.
Tor and RevSocks usage indicates a layered anonymization strategy for command-and-control resilience.
PowerCloud’s use of Google Sheets as an exfiltration channel is particularly unconventional and stealthy.
This indicates that attackers are blending common cloud services with malicious workflows to avoid detection.
The multi-layer tunneling approach ensures that even partial takedowns do not disrupt full command access.
The overall architecture suggests long-term espionage rather than short-term disruption or ransomware activity.
Cloud Atlas prioritizes persistence, stealth, and intelligence gathering over rapid exploitation or destruction.
The patching of system DLLs indicates a high level of technical sophistication and system knowledge.
This is not opportunistic malware but a structured intelligence collection framework.
Security teams face increasing difficulty distinguishing legitimate RDP activity from modified service behavior.
Endpoint detection tools may fail when core system binaries are altered at runtime.
Organizations relying on legacy Windows configurations are especially vulnerable to such manipulations.
The campaign shows how attackers combine old vulnerabilities with modern evasion layers.
Cloud Atlas effectively builds hybrid attack chains spanning phishing, exploitation, privilege escalation, and persistence.
Each stage of the operation is designed to minimize detection while maximizing data access.
The sophistication level suggests continued investment in tooling and operational infrastructure.
If undetected, such access can remain persistent for long periods, enabling continuous espionage.
Fact Checker Results:
✔ The article correctly identifies phishing and LNK-based infection vectors as common APT techniques
✔ The use of termsrv.dll manipulation aligns with known advanced RDP tampering strategies
✔ CVE-2018-0802 is a real historical vulnerability that has been exploited in malicious campaigns
Prediction:
Cloud Atlas is likely to further evolve its RDP manipulation techniques into fully automated persistence frameworks.
Future campaigns may reduce reliance on phishing by incorporating supply-chain or trusted-update infiltration methods.
Defensive systems will increasingly need kernel-level monitoring to detect DLL and service tampering early.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
