APT Group Patches termsrv.dll to Enable Multiple RDP Sessions

A Cloud Atlas APT campaign (active 2025–2026) targets government and commercial entities in Russia and Belarus using phishing ZIPs with malicious LNKs and CVE-2018-0802 weaponized documents to execute PowerShell loaders (fixed.ps1) that deploy two backdoors (VBCloud for file theft and PowerShower for reconnaissance and lateral movement). Operators modify termsrv.dll to enable stealthy concurrent RDP sessions, establish persistent reverse tunnels (SSH/RevSocks/Tor), perform Kerberoasting and UAC bypasses for credential theft, and exfiltrate data (including via Google Sheets), demonstrating sophisticated, persistent espionage-focused capabilities.