A persistent and large-scale cyber campaign is actively targeting Microsoft Remote Desktop Protocol (RDP) services, with attackers deploying more than 30,000 new IP addresses each day to exploit timing-based vulnerabilities and evade detection.
Linked to a globally distributed botnet, the campaign has witnessed a dramatic rise in unique IP activity — surpassing 500,000 distinct sources since September 2025 — with the majority of targets located in the United States.
Attack Vectors and Tactics
Researchers report that the operation primarily exploits two RDP vectors:
- RD Web Access anonymous authentication timing attacks
- RDP web client login enumeration tests
These techniques allow attackers to probe for weaknesses quietly, avoiding alerts while rotating through thousands of IPs to bypass conventional blocking systems.
Discovery and Scale
The network’s scale was first detected by GreyNoise on October 8, 2025, when traffic originating from Brazil surged dramatically. Analysts observed recurring TCP fingerprint patterns across thousands of endpoints, confirming the existence of a coordinated botnet.
By October 14, the botnet’s footprint had grown to roughly 300,000 IPs — tripling within days — spanning more than 100 countries. Brazil accounted for 63% of the malicious traffic, followed by Argentina (14%) and Mexico (3%), while U.S.-based servers remained the primary targets.
This persistent regional pattern suggests centralized command and control, likely managed by a single threat group or organized actor.
Evolving Infrastructure
GreyNoise’s daily activity charts highlight the campaign’s aggressive tempo, with total unique IPs (grey bars) and new daily IPs (blue bars) peaking above 40,000 in mid-October.
Cumulative data show an unbroken upward climb, surpassing half a million IPs by October 15, reflecting constant infrastructure churn designed to overwhelm static defenses.
Defensive Challenges and Recommendations
Experts caution that traditional IP blocking is ineffective against such dynamic, disposable infrastructure. The attackers’ strategy of rapid IP turnover complicates attribution and mitigation, representing a growing trend in botnet-based reconnaissance and exploitation.
Given that RDP remains a high-value attack vector for ransomware operators and data exfiltration campaigns, U.S. organizations—especially those reliant on remote access—face heightened risk.
GreyNoise continues to monitor this operation and urges defenders to analyze logs for unusual RDP activity linked to its threat tags.
The campaign’s rapid expansion—from 100,000 to over 500,000 IPs in just weeks—underscores the urgent need for intelligence-driven defenses such as behavioral analytics, dynamic threat intelligence integration, and anomaly-based detection, beyond conventional perimeter controls.