Gbhackers
Cloud Atlas APT Group Exploits CVE-2018-0802 and Modifies termsrv.dll for RDP Access
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Cloud Atlas APT group has been observed employing a sophisticated cyber espionage campaign targeting government and commercial entities in Russia and Belarus. This campaign, active since 2025 and continuing into 2026, utilizes a combination of phishing emails and exploits, notably the CVE-2018-0802 vulnerability in Microsoft Office. Attackers distribute ZIP files containing malicious LNK shortcuts that execute PowerShell scripts to establish persistence and deploy backdoors like VBCloud and PowerShower. A significant tactic involves modifying the termsrv.dll file to enable multiple simultaneous Remote Desktop Protocol (RDP) sessions, allowing attackers to operate undetected. The group also employs reverse SSH tunnels for command and control, enhancing their stealth. Current observations indicate ongoing activity with no signs of abatement.
Key Points: • Cloud Atlas APT group targets Russian and Belarusian entities using advanced techniques. • Exploitation of CVE-2018-0802 allows attackers to deliver malicious payloads via Office documents. • Modification of termsrv.dll enables multiple RDP sessions, facilitating covert access.