In a newly uncovered espionage campaign beginning in October 2024, hackers linked to Russian state actors—identified by Threat Intelligence Group —have been exploiting lesser-known features of the Windows Remote Desktop Protocol (RDP) to infiltrate European government and military systems. The attackers deploy phishing emails with attached .rdp files that, once executed, initiate remote sessions to attacker-controlled servers. Crucially, these sessions bypass typical RDP warnings, enabling stealthy data access without alerting users.

According to the Researcher, TIG has labeled this method "Rogue RDP" due to its covert abuse of legitimate features like resource redirection, allowing attackers to access sensitive components such as file systems, clipboard content, and system variables under the pretense of a routine application check.

The .rdp files, which were signed using valid SSL certificates to avoid detection, were distributed through emails impersonating trusted companies like Amazon and Microsoft. Two major attack vectors were observed: Drive and Clipboard Redirection, which exposed users’ entire file systems and copied credentials, and Deceptive RemoteApps, which presented a fake local application called “AWS Secure Storage Connection Stability Test” that actually ran from attacker infrastructure. This RemoteApp used Windows environment variables like %USERPROFILE% and %COMPUTERNAME% to gather system-level data without deploying traditional malware, significantly lowering the operation’s forensic footprint and complicating detection efforts.

The campaign may have leveraged tools such as PyRDP, an open-source RDP proxy that can hijack sessions, steal credentials, capture clipboard content, and automate file exfiltration—although there is no direct attribution of this tool to the campaign. Nonetheless, the alignment between PyRDP’s capabilities and the observed attack techniques suggests its possible use or influence. The stealthy nature of the campaign, with minimal use of conventional malware and an emphasis on abusing legitimate RDP functions, marks a growing trend in cyber espionage where native system tools are repurposed for persistent access.

To defend against such threats, multiple mitigation strategies are enforced: enforcing Network Level Authentication (NLA), disabling drive and clipboard redirection, and blocking execution of .rdp files from untrusted sources via Group Policy. Organizations are urged to monitor registry paths like HKEY_USERS\...\Terminal Server Client\Servers for suspicious IPs and usernames, watch for .tmp files in %APPDATA%\Local\Temp, and investigate unusual behavior from mstsc.exe. Enhanced logging of RDP session activity, coupled with user training on identifying phishing attachments, especially .rdp files, is essential. As this campaign demonstrates, attackers continue to evolve by exploiting legitimate tools for stealthy and resilient cyber operations, emphasizing the need for proactive and adaptive defense mechanisms.