State-Sponsored Hackers Exploit RDP Servers to Deploy Malware and Maintain Stealthy Access
A sophisticated cyber espionage campaign has been identified, targeting Remote Desktop Protocol (RDP) servers within critical infrastructure, defense sectors, and government agencies. The perpetrators, known as APT-C-13—also referred to as Sandworm, APT44, Seashell Blizzard, and Voodoo Bear—have been active since at least 2009. Their recent operations signify a strategic shift from overt, destructive attacks to covert, long-term infiltrations aimed at intelligence gathering.
Infection Vector:
The attack initiates through a deceptive ISO image labeled `Microsoft.Office.2025×64.v2025.iso`, disseminated via Telegram channels and software piracy forums, particularly in Ukraine. Upon mounting the image, users encounter executables such as `auto.exe` or `setup.exe`, which, when executed, discreetly deploy malicious loaders. This social engineering tactic exploits the trust associated with familiar software, facilitating the initial system compromise.
Modular Malware Deployment:
Once access is established, the attackers deploy a modular penetration framework known as the Tambur/Sumbur/Kalambur series. This toolkit enables the execution of various malicious modules tailored to the target environment. Analysts from the 360 Threat Intelligence Center have observed this campaign, noting a transition from immediate disruption tactics to sustained, intelligence-driven operations between 2024 and 2026. A notable incident involved a technician at a Ukrainian state-owned shipbuilding and machinery manufacturing plant, where the attackers had entrenched themselves deeply within the network.
Persistence Mechanisms:
The attackers employ sophisticated methods to maintain prolonged access:
– Scheduled Tasks: The Tambur module creates tasks named Tambur and Protector within the `\Microsoft\Windows\WDI\Protector\` directory, mimicking legitimate Windows Diagnostic Infrastructure components. These tasks run with administrative privileges, ensuring continuous access to the RDP service using a hardcoded password (`1qaz@WSX`).
– Covert Communication Channels: The Kalambur and Sumbur modules route command-and-control (C2) traffic through the Tor network, obscuring the attackers’ locations. Utilizing SSH reverse tunneling, they map the victim’s RDP port (3389) to a remote C2 server, enabling undetected remote logins. Sumbur further disguises its presence by emulating Microsoft Edge’s update service, storing malicious VBScripts in a counterfeit Edge update directory and executing them periodically to blend with legitimate activities.
– Memory-Resident Malware: The DemiMur module injects malicious code directly into system memory, leaving minimal traces on disk. This technique complicates detection and analysis, as the malware operates without creating conventional artifacts.
Implications and Challenges:
This campaign underscores a significant evolution in cyber threat tactics, emphasizing stealth and persistence over immediate disruption. By leveraging legitimate Windows tools and processes—such as scheduled tasks, SSH, PowerShell, and RDP—the attackers effectively evade standard antivirus and intrusion detection systems. The prolonged, covert nature of these infiltrations poses substantial challenges for organizations, as breaches may remain undetected for extended periods, allowing attackers to exfiltrate sensitive data and monitor internal communications.
Recommendations for Mitigation:
Organizations are advised to implement the following measures to defend against such sophisticated threats:
1. Regular Monitoring: Conduct continuous monitoring of system logs and network traffic to identify unusual activities, such as unauthorized scheduled tasks or unexpected RDP sessions.
2. Access Controls: Enforce strict access controls and limit RDP access to essential personnel. Implement multi-factor authentication to enhance security.
3. Patch Management: Keep all systems and software up to date with the latest security patches to mitigate vulnerabilities that could be exploited.
4. User Education: Educate employees about the risks of downloading and executing software from untrusted sources, emphasizing the dangers of social engineering tactics.
5. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting and responding to in-memory threats and anomalous behaviors indicative of sophisticated malware.
By adopting a comprehensive cybersecurity strategy that includes proactive monitoring, stringent access controls, regular updates, user education, and advanced detection tools, organizations can enhance their resilience against advanced persistent threats targeting RDP servers.
