Cloud Atlas Upgrades Arsenal: Novel Backdoors and Stealth RDP Patching for Cyber-Espionage
Between 2025 and 2026, the Cloud Atlas APT deployed previously undocumented backdoors, VBCloud and PowerShower, alongside modified system libraries to enable m…
Between the second half of 2025 and the early months of 2026, the Cloud Atlas APT launched a cyber-espionage campaign targeting government agencies and commercial enterprises in Russia and Belarus. During this operation, the group refreshed its toolkit with previously undocumented malware. The introduction of the VBCloud and PowerShower backdoors, a multi-functional persistence script, and modified legitimate utilities for evasion demonstrates a meticulous approach to maintaining long-term access. The evolution is not found in attack volume, but in the sophistication of post-compromise activity, where Cloud Atlas has learned to mask malicious operations as routine system maintenance.
- VBCloud and PowerShower are two newly identified backdoors: the former exfiltrates documents via RC4 to C2 servers, while the latter conducts Active Directory reconnaissance, Kerberoasting, and credential theft via Volume Shadow Copies.
- The
fixed.ps1script manages persistence (using a Registry Run key named "YandexBrowser_setup"), displays decoy PDFs, performs anti-forensic cleanup, and delivers subsequent payloads. - Attackers patched
termsrv.dllby replacing a specific byte sequence to enable invisible multi-session RDP, allowing lateral movement without alerting the logged-in user. - Modified OpenSSH binaries were found to load
syruntime.dllinstead oflibcrypto.dll, while command traffic utilized reverse SSH tunnels, RevSocks, and in some instances, Tor Hidden Services.
From Phishing to Persistence: The fixed.ps1 Chain
Phishing remains the primary entry vector, often utilizing ZIP archives containing LNK files. These shortcuts execute PowerShell commands to download and run scripts hosted on external resources. Kaspersky also reports the continued use of documents exploiting CVE-2018-0802—a vulnerability in the Microsoft Office Equation Editor patched nearly seven years ago—suggesting the group favors reliable, legacy vectors that remain effective in unpatched environments.
The technical shift is most evident in the intermediate payload. Once executed, the fixed.ps1 script copies itself to %temp%, creates the Run\YandexBrowser_setup registry key for auto-start, and opens a decoy PDF to deceive the user. It then systematically deletes forensic artifacts—including rar.zip, *.pdf.zip, and *.pdf.lnk—before installing VBCloud and PowerShower. This orchestrator blends persistence, social engineering, and trace removal into a single automated flow.
"In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus."
— Kaspersky Securelist
VBCloud and PowerShower: Dual-Track Backdoors
VBCloud is built on two components: video.vbs, an RC4 loader with a hardcoded key, and video.mds, the encrypted backdoor body. Once loaded into memory, the VBCloud::Backdoor module connects to its C2 server and scans for specific file types: DOC, PDF, and XLS. Exfiltration occurs through the established RC4 channel. Choosing a VBS format combined with an encrypted payload aligns with Cloud Atlas’s strategy of hiding malicious code within seemingly innocuous scripts.
PowerShower, typically located at C:\Users\[username]\Pictures\googleearth.ps1, serves a different operational purpose. It is designed for network reconnaissance, lateral movement, and Kerberoasting attacks. The backdoor also fetches additional scripts for credential harvesting: it creates a Volume Shadow Copy of the C: drive, copies SAM and SECURITY files (renaming them with a .pdf extension), and uses fodhelper.exe for a UAC bypass to execute PowerShell with elevated privileges. The combination of shadow copies and file-extension masking epitomizes the group’s philosophy of weaponizing legitimate Windows mechanisms against defenders.
RDP Patching and Hidden OpenSSH Tunnels
One of the most distinctive indicators is the rdp_new.ps1 script (MD5: 1A11B26DD0261EF27A112CE8B361C247). The script searches the termsrv.dll library for the byte sequence 39 81 3C 06 00 00 and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90. This modification forces Windows 10 to accept multiple simultaneous RDP sessions without notifying the active user. After patching, the script restarts the RDP service, effectively creating a stealthy gateway for lateral movement.
For remote control, Cloud Atlas utilized three overlapping channels. The primary method involved reverse SSH tunnels managed by VBS scripts (Gen.vbs, Run.vbs, Kill.vbs) executed via PAExec/PsExec, with persistence maintained through Windows scheduled tasks. A subtle detail involves the OpenSSH binaries: import tables were modified to load syruntime.dll instead of libcrypto.dll, likely to bypass signature-based detection or library integrity checks. This was supplemented by RevSocks (a Go-based tunneling tool) and Tor Hidden Services for direct host control.
Detection and Mitigation Strategies
- Monitor outbound SSH traffic to uncatalogued endpoints and watch for anomalies in
ssh.exeorsshd.exebehavior, particularly when spawned by parent processes likePAExec,PsExec, orwscript.exewith VBS arguments. - Implement detection for unauthorized modifications to
termsrv.dll. Regularly verify the integrity of the critical byte sequence used for RDP session control; simple hash checks may not be sufficient—specific byte-pattern rules are required. - Inspect
Runregistry keys and scheduled tasks for plausible but unverified names—"YandexBrowser_setup" is a documented example—and correlate them with the presence of PowerShell scripts in user directories likePicturesorDownloads. - Review post-compromise detection policies: Cloud Atlas payloads focus on maintenance and stealth rather than immediate impact. Defenses must cover the entire lifecycle, including the maintenance phase of an intrusion.
The "Invisible Maintenance" Method
Cloud Atlas has not revolutionized its modus operandi, but rather refined it to be nearly indistinguishable from normal system activity. The patching of termsrv.dll, the modification of OpenSSH imports, and the use of the "YandexBrowser_setup" name for persistence all point toward a focus on longevity over initial shock. This is the hallmark of a veteran APT that understands the value of compromised access is measured in months, not minutes.
For organizations defending sensitive infrastructure, the takeaway is that the primary threat is no longer just the initial payload, but the post-compromise behavior that mimics administrative maintenance. Recognizing the difference requires shifting detection focus from static files to behavioral flows—identifying sequences of actions that no legitimate administrator would perform in that specific order, frequency, or toward those specific endpoints.
Sources
FAQ
- Why does Cloud Atlas continue to use CVE-2018-0802 years after a patch was released?
- The group calculates that in many enterprise environments, legacy systems remain unpatched or updates are delayed due to compatibility concerns. It is a choice of operational efficiency over technical novelty.
- Does the termsrv.dll patch require administrative privileges?
- Yes, modifying system libraries and restarting the RDP service requires elevated access. This indicates that Cloud Atlas either possesses compromised credentials or utilizes a local privilege escalation (LPE) vulnerability.
- Can the modified OpenSSH binaries be detected by standard security tools?
- Hash-based detection may fail if the primary binary's code section remains unchanged while only the import table is altered. Detection requires dynamic dependency integrity checks or behavioral analysis of anomalous DLL loading.
Information has been verified against cited sources and is current at the time of publication.