Cybersecurity

On October 8, 2025, security firm GreyNoise reported a substantial botnet campaign targeting Remote Desktop Protocol (RDP) services in the United States. The attack involves over 100,000 unique IP addresses from more than 100 countries, aiming to compromise RDP infrastructure, which is critical for remote work and administration.

Attack Overview

The coordinated nature of this campaign poses a significant threat to organizations relying on RDP for daily operations. The investigation began following an anomalous spike in traffic from Brazilian IPs, leading to the discovery of similar activities from Argentina, Iran, China, Mexico, Russia, and South Africa. Despite the geographic diversity, the common target remains RDP services within the United States.

Analysts attribute this activity to a single, large-scale botnet, based on similar TCP fingerprints across participating IPs. This suggests a centralized command-and-control structure orchestrating the attacks.

Attack Vectors

The attackers utilize two specific methods:

• RD Web Access Timing Attack: This approach involves measuring server response times to login attempts to differentiate between valid and invalid usernames.
• RDP Web Client Login Enumeration: This method systematically guesses user credentials, allowing the botnet to identify vulnerable RDP access points without triggering standard security alerts.

Mitigations

In response, GreyNoise recommends that network defenders monitor their security logs for unusual RDP probing or failed login attempts matching the campaign’s patterns. Additionally, a dynamic blocklist template, “microsoft-rdp-botnet-oct-25,” is available for automatic blocking of known malicious IPs.

Organizations are advised to enforce strong password policies and implement multi-factor authentication to protect against brute-force attacks. Regularly reviewing RDP security settings is also recommended to enhance protection.