A sophisticated and persistent cyberattack campaign is currently targeting Microsoft Remote Desktop Protocol (RDP) services, with attackers deploying over 30,000 new IP addresses daily to exploit timing-based vulnerabilities. This coordinated effort, linked to a global botnet, has seen unique IPs surge past 500,000 since September 2025, primarily aiming at U.S.-based systems.
Understanding the Attack Vectors
The attackers focus on two primary methods to exploit RDP services:
1. RD Web Access Anonymous Authentication Timing Attacks: By analyzing the time it takes for the RD Web Access portal to respond to authentication requests, attackers can infer the validity of usernames without triggering standard security alerts.
2. RDP Web Client Login Enumeration Checks: This technique involves sending multiple login requests to the RDP web client and observing the system’s responses to determine valid usernames, again without setting off traditional intrusion detection systems.
These methods allow hackers to probe for weaknesses stealthily, using rapid IP rotations to evade conventional blocking tools.
The Scale of the Botnet
Security firm GreyNoise first identified the botnet’s scale on October 8, 2025, when a dramatic spike in Brazilian-sourced traffic revealed a pattern of similar TCP fingerprints across thousands of endpoints. By October 14, the botnet had expanded to approximately 300,000 IPs, tripling in size within days and originating from over 100 countries.
The geographical distribution of the attack sources is noteworthy:
– Brazil: 63%
– Argentina: 14%
– Mexico: 3%
Despite the diverse origins, nearly all targets are located in the United States. This consistency in source-target dynamics underscores the operation’s centralized control, likely orchestrated by a single threat actor or group.
Challenges in Mitigation
The rapid and continuous deployment of new IP addresses presents significant challenges for traditional defense mechanisms. Static IP blocking proves ineffective against this high-turnover botnet, as new nodes activate daily to sustain the attack. This campaign exemplifies a broader trend where attackers complicate attribution and evasion through disposable infrastructure.
Implications for U.S. Entities
As RDP remains a prime entry point for ransomware and data breaches, U.S. entities, especially those reliant on remote access, face heightened exposure. The operation’s growth from 100,000 to over 500,000 IPs signals potential for further escalation, demanding proactive defenses beyond conventional measures.
Recommendations for Defense
Organizations are urged to adopt the following measures to mitigate the risk posed by this ongoing campaign:
1. Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification for RDP access.
2. Regularly Update and Patch Systems: Ensure that all systems are up-to-date with the latest security patches to protect against known vulnerabilities.
3. Monitor for Unusual RDP Activity: Regularly review logs for signs of unauthorized access or probing attempts.
4. Limit RDP Exposure: Restrict RDP access to only those who need it and consider using Virtual Private Networks (VPNs) to add an additional layer of security.
5. Employ Network Level Authentication (NLA): Require NLA to add an extra layer of pre-authentication security.
By implementing these strategies, organizations can enhance their resilience against this evolving threat landscape.
