Analysis Summary

A large-scale and persistent cyber campaign is actively targeting Microsoft Remote Desktop Protocol (RDP) services, deploying over 30,000 new IP addresses daily to exploit timing-based authentication vulnerabilities. Since September 2025, more than 500,000 unique IPs have been detected as part of this operation. Attackers focus on two core vectors: RD Web Access anonymous authentication timing attacks and RDP web client login enumeration. These techniques allow adversaries to stealthily probe credentials and response behaviors without triggering conventional security alerts, using rapid IP rotation to bypass static IP blocks and automated defenses.

The researcher first identified the expanding scale of this botnet on October 8, 2025, when traffic from Brazil surged dramatically. The botnet's infrastructure showed identical TCP fingerprints across thousands of endpoints, revealing centralized coordination likely controlled by a single threat actor or organized group. By October 14, the number of participating IPs tripled to nearly 300,000, sourced from over 100 countries. Brazil accounts for 63% of attacking IPs, followed by Argentina (14%) and Mexico (3%), while U.S.-based systems are the primary targets.

Researcher activity charts display relentless attack patterns, with newly observed IPs peaking above 40,000 per day in mid-October. Cumulative graphs highlight a sharp rise, surpassing 500,000 IPs by October 15, demonstrating large-scale infrastructure churn. This attack model emphasizes disposable botnet nodes, enabling attackers to evade blacklists, complicate attribution, and maintain pressure. Experts warn that traditional defense mechanisms, such as static IP blocking, are largely ineffective due to the high turnover of malicious IPs and automated activation of new nodes.

This ongoing campaign underscores a growing trend of massive, globally distributed botnets exploiting RDP as a primary entry point for ransomware and breaches. U.S. organizations relying heavily on remote access face increased exposure. Security researchers urge immediate adoption of intelligence-driven defenses, including detailed log monitoring, behavioral analytics, and rate-limiting for RDP endpoints. As the operation continues scaling from 100,000 to over 500,000 IPs, proactive mitigation is essential to prevent widespread compromise and disruption across critical infrastructure.

Impact

• Gain Access

Remediation

• Disable RDP if not required or restrict its use to only essential systems and users.
• Enforce Multi-Factor Authentication (MFA) for all RDP logins to prevent credential-based access, even if usernames/passwords are compromised.
• Implement RDP access through VPN or secure gateways only, blocking direct exposure of RDP services to the internet.
• Apply account lockout policies and login attempt rate-limiting to prevent timing-based authentication abuse and brute-force enumeration.
• Whitelist trusted IP addresses using firewall rules or geo-restrictions, especially blocking high-risk regions if access isn’t required.
• Deploy intelligence-driven dynamic IP blocking using threat feeds (e.g., GreyNoise) instead of static IP denial lists due to rapid IP rotation.
• Continuously monitor RDP logs and firewall events for unusual login timings, rapid session attempts, or GreyNoise-tagged IPs.
• Use Network Level Authentication (NLA) to ensure unauthorized users cannot request full RDP sessions.
• Enable account audit policies and event logging, forwarding data to SIEM tools for correlation and detection of distributed login attempts.
• Enable RD Gateway auditing and limit authentication exposure, preventing anonymous timing response leaks.
• Patch and update all RDP-related services and Windows servers regularly to mitigate known vulnerabilities.
• Deploy honeypots or deception environments to identify active probing and tag malicious IPs for preemptive blocking.
• Apply strict password policies (length, complexity, expiration) to reduce credential-guessing success rates.
• Segment networks and isolate RDP-accessible systems to minimize lateral movement post-compromise.
• Block unused TCP ports (especially 3389) at the network edge and only open them when necessary via controlled mechanisms.