Researchers Warn of Widespread RDP Attacks by 100K-node Botnet
Category:Threat Alerts / Threat Intelligence
GreyNoise reports a coordinated RDP-targeting botnet exceeding 100,000 IPs active since October 8, 2025, with sources spanning 100+ countries, including the U.S., Brazil, Argentina, Iran, China, Mexico, and Russia. Observed techniques include RD Web Access timing attacks and RDP web client login enumeration, pointing to a centralized operator given the shared TCP fingerprinting across most nodes. The objective is credential harvesting and access validation at scale, enabling rapid follow-on exploitation and ransomware staging. Because RDP often fronts privileged server access, sustained brute forcing elevates risk of lateral movement and privilege escalation. Enterprises exposing RDP to the Internet remain the primary targets and should shift to brokered access (VPN/ZTNA), enforce MFA/NLA, and monitor authentication telemetry for anomaly spikes.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"High risk of unauthorized access to server infrastructure leading to data theft and ransomware.","Technical Context":"Massive distributed botnet conducts timing and enumeration attacks; shared TCP fingerprint indicates single operator run."}
Strategic Intelligence Guidance
- Remove direct Internet exposure of RDP; require VPN or ZTNA with device trust.
- Enforce MFA and Network Level Authentication with lockouts and throttling.
- Detect and block brute-force spikes; apply geo/risk-based access policies.
- Audit admin accounts and rotate credentials potentially exposed.
Vendors
Threats
Targets
Impact
Financial:100,000+ IPs
Intelligence Source: Researchers warn of widespread RDP attacks by 100K-node botnet | Oct 15, 2025