Massive 100,000+ IP Botnet Targets U.S. RDP Infrastructure in Coordinated Attack

Published Date: October 14, 2025
Category: ShadowOpsIntel
Share:

On October 8, 2025, GreyNoise detected a large-scale, coordinated botnet attack targeting U.S. infrastructure via Remote Desktop Protocol (RDP) services. The operation involved over 100,000 unique IP addresses from more than 100 countries, signifying one of the largest distributed RDP attack waves ever recorded. The campaign’s uniform TCP fingerprinting and synchronized attack patterns indicate centralized command-and-control, strongly suggesting a well-organized botnet operation targeting exposed RDP services across multiple industries.

Severity: High

Threat Details

  • Threat Discovery: GreyNoise initially detected abnormal RDP scanning activity from Brazilian IP ranges, which rapidly expanded to a global scale. The uniform attack signatures across diverse geolocations confirmed a single botnet origin rather than disparate opportunistic actors.
  • Targeted Systems: The primary target is U.S.-based RDP infrastructure, including enterprise and government systems.
  • Geographic Origin: The botnet’s IP addresses originate from over 100 countries, including Brazil, Iran, China, Russia, South Africa, and others.
  • Attack Vectors:
    • Timing attacks on RDP Web Access services, targeting vulnerabilities in the authentication process.
    • Probing for valid login credentials by enumerating RDP Web Client services.
  • Botnet Characteristics: Shared TCP fingerprint across most participating IP addresses, differing only in Maximum Segment Size (MSS), implying identical bot client software controlled via C2.
  • Immediate Impact: Widespread scanning of RDP services, potentially enabling credential harvesting, brute-force preparation, or future ransomware staging.

Recommendations

  1. Disable direct RDP access from the public internet wherever possible.
  2. Enforce access to RDP only through VPNs, bastion hosts, or Zero Trust Network Access (ZTNA) gateways.
  3. Apply MFA on all RDP accounts.
  4. Employ geo-blocking for countries not relevant to your operations, particularly those identified as botnet sources (Brazil, Russia, China, Iran, Mexico, South Africa).
  5. Regularly monitor RDP logs for any signs of unusual probing or attacks.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/4dab2d3908ef0d82f43d20150c65b91152d419082274a3674e232ef52a4a361b/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.