Pierluigi Paganini
October 14, 2025
GreyNoise researchers uncovered a large-scale botnet that is targeting Remote Desktop Protocol (RDP) services in the United States starting on October 8.
The company discovered the botnet after detecting an unusual spike in Brazilian IP space this week and conducting an investigation into broader traffic patterns.
The experts observed that the attack attempts originated from more than 100,000 IP addresses from multiple countries.
According to the cybersecurity firm, the campaign employs two specific attack vectors — RD Web Access timing attacks and RDP web client login enumeration. The researchers believe that a single entity is behind the attacks because most participating IPs share one similar TCP fingerprint.
The source countries are over 100 and include Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and others.
“Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States.” reads the advisory. “We assess with high confidence that the elevated RDP targeting beginning this week is attributable to a multi-country botnet.”
Grey Noise concludes that “Several factors suggest this activity is originating from one botnet:”
- Almost all traffic shared one similar TCP fingerprint, with only the MSS changing.
- MSS in this context likely changes depending on the compromised botnet cluster.
- The timing and pattern of targeting implies coordinated activity with centralized control.
- The shared RDP attack vector again suggests centralized control, likely activated by the operator(s) for this sole purpose.
To defend RDP services from botnet attacks, restrict access using VPNs or firewalls, enforce MFA and strong passwords, enable Network Level Authentication, and keep systems patched. Monitor login attempts for anomalies, use EDR or fail2ban to block brute-force activity, and limit RDP exposure to essential, time-bound access only.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RDP)
botnet
Hacking
hacking news
information security news
IT Information Security
malware
Pierluigi Paganini
RDP
Security Affairs
Security News
