RDP Services Under Attack

A persistent campaign targeting Microsoft Remote Desktop Protocol (RDP) services, with attackers deploying over 30,000 new IP addresses daily to exploit timing-based vulnerabilities.

This coordinated effort, linked to a global botnet, has seen unique IPs surge past 500,000 since September 2025, primarily aiming at U.S.-based systems.

The attacks focus on two key vectors: RD Web Access anonymous authentication timing attacks and RDP web client login enumeration checks. These methods allow hackers to probe for weaknesses without triggering alerts, using rapid IP rotations to dodge traditional blocking tools.

GreyNoise first identified the botnet’s scale on October 8, 2025, when Brazilian-sourced traffic spiked dramatically, revealing a pattern of similar TCP fingerprints across thousands of endpoints.

RDP Under Attack from New IPs

By October 14, the botnet had expanded to approximately 300,000 IPs, tripling in size within days and originating from over 100 countries.

Brazil dominates as the top source at 63%, followed by Argentina at 14% and Mexico at 3%, with nearly all targets located in the United States.

google

This consistency in source-target dynamics underscores the operation’s centralized control, likely orchestrated by a single threat actor or group.

Daily activity charts from GreyNoise illustrate the relentless pace, showing grey bars for total unique IPs and blue for newly observed ones peaking above 40,000 in mid-October.

IP addresses observed
IP addresses observed

Cumulative graphs reveal a steep upward trajectory, crossing 500,000 unique IPs by October 15, highlighting the evolving risk of infrastructure churn.

sum of IPs
sum of IPs

Experts warn that static IP blocking is ineffective against this high-turnover botnet, as new nodes activate daily to sustain the attack.

This campaign exemplifies a broader trend where attackers complicate attribution and evasion through disposable infrastructure.

As RDP remains a prime entry point for ransomware and data breaches, U.S. entities especially those reliant on remote access face heightened exposure. GreyNoise continues monitoring, urging log reviews for unusual RDP probes tied to these tags.

The operation’s growth from 100,000 to over 500,000 IPs signals potential for further escalation, demanding proactive defenses beyond conventional measures.

With the botnet’s focus on U.S. infrastructure, immediate adoption of intelligence-driven blocking could prevent widespread compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

googlenews
Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.