Cloud Atlas APT Group Exploits CVE-2018-0802 and Modifies termsrv.dll for RDP Access

Cloud Atlas APT Group Exploits CVE-2018-0802 and Modifies termsrv.dll for RDP Access

First seen 25 May 2026, 17:02 UTC Gbhackerssecurelist.ruCybersecuritynews 87% similarity 75.5

Article Content

Browse articles
ThreatCluster

The Cloud Atlas APT group has been observed employing a sophisticated cyber espionage campaign targeting government and commercial entities in Russia and Belarus. This campaign, active since 2025 and continuing into 2026, utilizes a combination of phishing emails and exploits, notably the CVE-2018-0802 vulnerability in Microsoft Office. Attackers distribute ZIP files containing malicious LNK shortcuts that execute PowerShell scripts to establish persistence and deploy backdoors like VBCloud and PowerShower. A significant tactic involves modifying the termsrv.dll file to enable multiple simultaneous Remote Desktop Protocol (RDP) sessions, allowing attackers to operate undetected. The group also employs reverse SSH tunnels for command and control, enhancing their stealth. Current observations indicate ongoing activity with no signs of abatement.

Key Points: • Cloud Atlas APT group targets Russian and Belarusian entities using advanced techniques. • Exploitation of CVE-2018-0802 allows attackers to deliver malicious payloads via Office documents. • Modification of termsrv.dll enables multiple RDP sessions, facilitating covert access.

ThreatCluster AI

Timeline

2018-01-10
CVE-2018-0802 published
A vulnerability in Microsoft Office's Equation Editor was disclosed, allowing remote code execution.
Securelist
2021-11-03
CVE-2018-0802 added to CISA KEV
The CVE was recognized for active exploitation, prompting security advisories.
Securelist
2025-01-01
Cloud Atlas campaign observed
The group began using modified techniques to target organizations in Russia and Belarus.
Gbhackers
2026-05-25
Current activity reported
Cloud Atlas continues to leverage RDP modifications and phishing tactics to infiltrate systems.
Gbhackers

Community

Browse all →