Redazione RHC : 11 October 2025 21:41
In the United States, a large-scale, coordinated botnet campaign is targeting Remote Desktop Protocol (RDP)-based services.
The scale and organizational structure of this campaign poses a significant threat, especially for organizations that rely on RDP for their day-to-day operations.
Security firm GreyNoise reported tracking a significant wave of attacks originating from more than 100,000 unique IP addresses in more than 100 countries.
The operation appears to be centrally controlled, with the primary goal of compromising the RDP infrastructure , a critical component for remote work and administration.
This discovery sparked a broader analysis, which quickly identified similar spikes in activity in a multitude of countries, including Argentina, Iran, China, Mexico, Russia, and South Africa .
Despite their different geographic origins, the attacks share a common target: RDP services in the United States.
Analysts are strongly convinced that this activity is the work of a single, large-scale botnet . This conclusion is supported by the fact that nearly all participating IPs share a similar TCP signature . This technical signature suggests a standard, centralized command and control structure orchestrating the attacks.
The first is an RD Web Access timing attack, a method in which attackers measure the server’s response time to login attempts to anonymously distinguish valid from invalid usernames.
The threat actors behind this campaign are using two specific attack vectors to identify and compromise vulnerable systems.
The second vector is an enumeration of RDP web client logins, which systematically attempts to guess user credentials. These methods allow the botnet to efficiently scan and identify exploitable RDP access points without immediately triggering standard security alerts.
The synchronized use of these specific and non-trivial attack methods on such a large number of nodes further indicates a coordinated operation managed by a single operator or group.
In response to this persistent threat, GreyNoise has published specific recommendations for network security managers.
The company recommends that organizations proactively monitor their security logs for any unusual RDP probes or failed login attempts that match the patterns of this campaign.
For more direct protection, GreyNoise has created a dynamic blocklist template, named “microsoft-rdp-botnet-oct-25,” available through its platform.
Redazione