Hackers Patch termsrv.dll to Maintain Multiple RDP Sessions On Victim Hosts

The Cloud Atlas advanced persistent threat (APT) group has escalated its cyberespionage campaigns throughout 2025 and early 2026, primarily targeting government and diplomatic entities in Russia and Belarus.

In a newly uncovered wave of attacks, researchers have observed the threat actors deploying sophisticated evasion techniques, including patching the Windows termsrv.dll file to maintain hidden, concurrent Remote Desktop Protocol (RDP) sessions.

Hackers Patch RDP Sessions

To breach target environments, Cloud Atlas relies on phishing campaigns that deliver ZIP archives containing malicious LNK shortcut files.

To maximize infection success, the attackers also distribute malicious documents exploiting CVE-2018-0802, an older vulnerability in the Microsoft Office Equation Editor, to execute remote code without user interaction.

It ensures persistence by writing itself to the Windows Registry Run key, downloading a decoy PDF to distract the user, and terminating archiver processes like WinRAR to hide its tracks.

After cleaning up initial forensic artifacts to disrupt Endpoint Detection and Response (EDR) systems, the loader deploys two main payloads:

• VBCloud Backdoor: A VBS-based malware functioning primarily as an information stealer. It decrypts its main payload in memory and systematically searches the compromised host for specific file extensions, such as DOC, PDF, and XLS, before exfiltrating them to a command-and-control (C2) server.
• PowerShower: A secondary backdoor designed for network reconnaissance and lateral movement. PowerShower gathers data on running processes, Active Directory domain controllers, and administrator groups.
  • It bypassed User Account Control (UAC) via the built-in fodhelper.exe utility to silently dump SAM system files containing password hashes from volume shadow copies.

The most notable development in recent Cloud Atlas campaigns is the modification of the Remote Desktop Protocol service to enable covert, multi-user access.

Attackers execute a custom script that manipulates termsrv.dll, the core Windows library governing remote desktop sessions.

According to Securelist research, Windows 10 restricts the number of concurrent RDP connections. The threat actors bypass this limitation by taking ownership of the termsrv.dll file, altering firewall rules to allow remote access, and patching specific memory locations.

To guarantee continuous access, Cloud Atlas employs several redundant tunneling methods:

• Reverse SSH Tunnels: Attackers deploy VBS scripts to establish outbound SSH connections to C2 servers, bypassing standard firewall rules. They also use modified OpenSSH binaries that load malicious DLLs to evade detection.
• RevSocks and Tor: The group uses RevSocks, a custom Go-based proxy tool, to route traffic through local networks. In some instances, they install Tor hidden services, configuring the compromised machine to be accessible via RDP over a generated .onion domain.
• PowerCloud: A newly discovered PowerShell tool used by the group to gather local administrator credentials and exfiltrate the data directly into Google Sheets using Base64 encoding.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Patch termsrv.dll to Maintain Multiple RDP Sessions On Victim Hosts appeared first on Cyber Security News.