Huge multi-country botnet targets RDP services in the US

A large-scale botnet is targeting Remote Desktop Protocol (RDP) services from over 100,000 IP addresses in the United States.

The campaign began on October 8 and based on the source of the IPs, researchers believe the attacks were launched by a multi-country botnet.

RDP is a network protocol that enables remote connection and control of Windows systems. It is commonly used by administrators, helpdesk staff, and remote workers.

Attackers often scan open RDP ports or attempt to force logins, exploit vulnerabilities, or conduct timing attacks.

In this case, researchers at threat monitoring platform Grenois found that the botnet relied on two types of RDP-related attacks:

RD web access timing attack – RD probes web access endpoints and measures response-time differences during anonymous authentication flows to guess valid usernames

RDP web client login count – Interacts with the RDP web client login flow to enumerate user accounts by observing differences in server behavior and responses

Grenois discovered the campaign after an unusual traffic increase from Brazil, which was followed by similar activity from a broader geography, including Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador.

The company says the full list of countries with compromised devices in the botnet exceeds 100.

**Increase in unusual activity from Brazil**
*Source: Grenoise*

Almost all IP addresses share a common TCP fingerprint, and although there are variations in (maximum segment size), Researchers believe These are due to the groups creating botnets.

To protect against this activity, system administrators are advised to block IP addresses launching attacks and check logs for suspicious RDP probes.

As a general recommendation, a remote desktop connection should not be exposed to the public Internet. Adding a VPN and multi-factor authentication (MFA) adds a layer of security.

attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.

Don’t miss the event that will shape the future of your security strategy

What's Hot

Samsung showed me its secret HDR10+ Advanced TV samples – and I’m almost sold

Starbucks barista’s side hustle brings in $1 million a month

A new Chinese AI model claims to outperform GPT-5 and Sonnet 4.5 – and it’s free

Your Uber driver has a new endeavor: training an AI for cash

American Airlines subsidiary Envoy confirms Oracle data breach attack

Government considers destroying its data hub after decade-long intrusion

Microsoft’s new text editor is a VIM and Nano option

The best luxury car for buyers for the first time in 2025

Massives Datenleck in Cloud-Spichenn | CSO online

Most Popular

10,000 steps or Japanese walk? We ask experts if you should walk ahead or fast

FIFA Club World Cup Soccer: Stream Palmirus vs. Porto lives from anywhere

What do chatbott is careful about punctuation? I tested it with chat, Gemini and Cloud

Our Picks