Massive Multi-Country Botnet Launches RDP Attacks Against US Organizations
Executive Summary
In October 2025, a massive botnet composed of devices spanning over 100 countries launched coordinated attacks targeting Remote Desktop Protocol (RDP) services in the United States. Security researchers first spotted a spike in unusual RDP traffic originating from Brazil, with further malicious activity quickly spreading globally. Attackers leveraged two primary techniques: RD Web Access timing attacks to infer valid usernames, and RDP web client login enumeration to access accounts through analysis of server response behaviors. The campaign utilized over 100,000 unique IP addresses sharing a similar TCP fingerprint, indicating a highly organized cluster-based operation. The attacks put both government and enterprise systems at risk of brute-force intrusion and potential credential compromise.
This incident underlines the persistent and evolving threat posed by botnets against remote access services. With increasing remote work reliance and exposed RDP endpoints, such sophisticated, multi-geography attacks exploit common authentication weaknesses and call for urgent upgrades in defense, including MFA and network segmentation.
Why This Matters Now
The rise of global botnets exploiting RDP vulnerabilities coincides with a surge in remote work and increased exposure of remote access services. Organizations that fail to properly secure RDP endpoints remain at high risk of large-scale credential theft and lateral movement, making swift incident detection and zero trust controls increasingly critical.
Attack Path Analysis
The botnet initiated large-scale scanning for exposed RDP services and performed timing and enumeration attacks to identify valid user accounts. Once accounts were discovered, attackers likely attempted brute-force login attempts to gain unauthorized access. After gaining access, the threat actor could escalate privileges or move laterally to other internal systems. The botnet then established persistent command and control channels to coordinate attacks and manage compromised machines. Potential data exfiltration or staging of data could occur via RDP sessions. Finally, the impact would include expanded botnet control, potential ransomware deployment, or disruption of critical services.
Kill Chain Progression
Initial Compromise
Description
Attackers scanned for publicly exposed RDP endpoints and performed timing and enumeration attacks on RD Web Access and RDP Web Client login flows to discover valid accounts.
Related CVEs
CVE-2025-24035
CVSS 8.1A remote code execution vulnerability in Windows Remote Desktop Services due to improper locking of sensitive data in memory.
Affected Products:
Microsoft Windows Server – 2008 R2, 2008, 2012 R2, 2012, 2016, 2019, 2022, 2025
Exploit Status:
no public exploitCVE-2025-24045
CVSS 8.1A remote code execution vulnerability in Windows Remote Desktop Services caused by a race condition.
Affected Products:
Microsoft Windows Server – 2008 R2, 2008, 2012 R2, 2012, 2016, 2019, 2022, 2025
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
External Remote Services
Brute Force
Active Scanning
Credential Access via Account Enumeration
Network Service Scanning
Valid Accounts
Exploitation for Credential Access
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.15
DORA (Digital Operational Resilience Act) – ICT Security Policies and Procedures
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Remote Access Controls and Authentication Hardening
Control ID: Access Management: Strong Authentication
NIS2 Directive – Risk Management and Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Multi-country botnet targeting RDP services creates critical exposure risks for IT infrastructure, requiring immediate Zero Trust segmentation and threat detection capabilities.
Financial Services
RDP timing attacks and login enumeration threaten financial systems' remote access security, demanding enhanced east-west traffic monitoring and egress policy enforcement.
Health Care / Life Sciences
Healthcare RDP vulnerabilities expose patient data to botnet exploitation, necessitating encrypted traffic controls and HIPAA-compliant anomaly detection systems.
Government Administration
Government RDP services face multi-national botnet threats requiring secure hybrid connectivity, multicloud visibility, and comprehensive intrusion prevention system deployment.
Sources
- Massive multi-country botnet targets RDP services in the UShttps://www.bleepingcomputer.com/news/security/massive-multi-country-botnet-targets-rdp-services-in-the-us/Verified
- 100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructurehttps://www.greynoise.io/blog/botnet-launches-coordinated-rdp-attack-waveVerified
- Security Advisory 2025-009https://cert.europa.eu/publications/security-advisories/2025-009/pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust controls—including segmentation, egress enforcement, encrypted traffic, and real-time threat detection—would have drastically limited this botnet's ability to compromise, move laterally, and persist within cloud and hybrid environments. Granular policy enforcement and visibility at every stage would block, detect, or swiftly contain the attack chain.
Control: Zero Trust Segmentation
Mitigation: Blocked unauthorized external access to RDP services.
Control: Threat Detection & Anomaly Response
Mitigation: Detected anomalous authentication and login behavior in real time.
Control: East-West Traffic Security
Mitigation: Prevented unauthorized internal movement between workloads or services.
Control: Cloud Firewall (ACF) and Inline IPS (Suricata)
Mitigation: Detected and blocked suspicious outbound C2 traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized data exfiltration to unapproved domains or networks.
Minimized attack blast radius and enabled rapid threat containment.
Impact at a Glance
Affected Business Functions
- IT Administration
- Remote Access Services
- Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential unauthorized access to sensitive corporate data and systems through compromised RDP services.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately restrict RDP service access using Zero Trust Segmentation and microsegmentation.
- • Enforce centralized, policy-driven egress controls to block outbound C2 and data exfiltration attempts.
- • Enable and monitor real-time Threat Detection & Anomaly Response for authentication and access anomalies.
- • Implement East-West Traffic Security to prevent unauthorized lateral movement across workloads.
- • Establish centralized visibility and rapid incident response with a Cloud Network Security Fabric (CNSF) platform.
