GreyNoise is tracking a new surge of Remote Desktop Protocol (RDP) activity targeting U.S. networks, driven by a botnet exceeding 100,000 unique IP addresses. The campaign’s active phase began on 8 October 2025 and exhibits synchronized timing and uniform behavior across sources, strongly indicating centralized command-and-control of the attacking infrastructure.
Global scale and origin of the RDP campaign
Analysts first observed an anomalous spike of RDP traffic from Brazil, followed by rapid expansion across multiple regions. Notable sources now include Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador. According to GreyNoise, compromised devices in more than 100 countries are participating, highlighting a geographically diverse, decentralized pool of infected consumer and corporate systems that amplifies attack volume and resilience.
Attack tactics: two distinct RDP activity profiles
Current observations reveal two complementary RDP behaviors. One cluster performs high-volume discovery against port 3389/TCP (broad scanning to locate exposed services). The other attempts more deliberate, session-oriented connections suggestive of credential guessing or staged access. While the specific credential sets are not disclosed, the pattern aligns with preparation for unauthorized authentication and potential follow-on actions such as persistence, privilege escalation, and lateral movement.
Technical indicators: shared TCP fingerprint, MSS variance, and clustering
Most participating IPs present a common TCP fingerprint (a repeatable pattern of TCP options and handshake parameters), implying a standardized software base or uniform network stack configuration across infected nodes. At the same time, analysts note differences in MSS (Maximum Segment Size) that likely reflect infrastructure clustering tied to regional ISPs, routing paths, or local network policies. The combination of synchronized timing, a shared fingerprint, and segmented MSS profiles supports the assessment of a centrally orchestrated botnet operating across multiple infrastructure cohorts.
Why RDP exposure remains a high-risk entry point
RDP is one of the most targeted remote access services on the internet. Exposing RDP directly to the public web materially increases attack surface by offering interactive access to servers and workstations. Public reporting from FBI IC3 and Microsoft has repeatedly linked RDP compromise to ransomware intrusions, data theft, and lateral movement. Security telemetry and open-source scans (e.g., Shodan) routinely show millions of RDP services visible on port 3389, ensuring a steady stream of brute-force and credential-stuffing attempts. The current campaign adds significant background noise, making it easier for targeted intrusions to blend into mass scanning activity.
Defensive actions: practical RDP hardening checklist
Reduce exposure and enforce modern access controls
- Remove direct internet exposure to RDP wherever possible; front remote access with VPN, ZTNA, or RD Gateway, and disable RDP if it is not business-critical.
- Enable Network Level Authentication (NLA) and require MFA for all administrative and remote sessions. Enforce strong password policies and progressive account lockouts with alerting.
- Apply IP allowlists, geo-blocking, and time-bound access for administrative endpoints. Consider just-in-time (JIT) access with short-lived privileges.
Harden the stack and segment critical assets
- Fully patch the OS and RDP stack, disable legacy protocols and weak ciphers, and standardize secure TLS settings. Remove unused local accounts.
- Place sensitive hosts in isolated network segments; require jump hosts/bastions with auditing for privileged access.
- Use fail2ban/lockout-style controls on externally reachable systems and prepare dynamic block rules to handle rapid IP rotation by botnets.
Monitor and respond at speed
- Continuously monitor perimeter controls (firewall/EDR/WAF) for spikes in RDP connection attempts and block abusive sources while tracking reappearance from new subnets.
- Instrument security analytics for JA3/TLS and TCP option anomalies tied to RDP, and baseline typical 3389 traffic to flag deviations.
What to watch in logs and network telemetry
- Bursty, multi-geo RDP attempts within short intervals, often switching IPs after blocks are applied.
- Sequences of failed logons and lockouts on local/domain accounts, especially administrative ones (e.g., Windows Security 4625/4624, 4776, 4768/4769).
- Unusual TLS cipher suites or JA3 fingerprints in RDP over TLS, and recurring TCP fingerprint traits (options/MSS) across disparate sources.
- Recurrent attacks from new provider ranges after defensive rules are updated, indicating botnet IP churn.
The GreyNoise-observed RDP campaign demonstrates a mature, centrally directed botnet spanning 100+ countries and more than 100,000 IPs. Organizations should treat direct RDP exposure as a high-risk condition and prioritize architectural defenses: eliminate public 3389 access, enforce MFA and NLA, restrict source networks, segment critical systems, and intensify log-based detection. Proactive hardening and rapid response will reduce compromise likelihood and complicate adversary operations in subsequent stages of an intrusion.
