Pierluigi Paganini
October 14, 2025
GreyNoise researchers uncovered a large-scale botnet that is targeting Remote Desktop Protocol (RDP) services in the United States starting on October 8.
The company discovered the botnet after detecting an unusual spike in Brazilian IP space this week and conducting an investigation into broader traffic patterns.
The experts observed that the attack attempts originated from more than 100,000 IP addresses from multiple countries.
According to the cybersecurity firm, the campaign employs two specific attack vectors — RD Web Access timing attacks and RDP web client login enumeration. The researchers believe that a single entity is behind the attacks because most participating IPs share one similar TCP fingerprint.
The source countries are over 100 and include Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and others.
“Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States.” reads the advisory. “We assess with high confidence that the elevated RDP targeting beginning this week is attributable to a multi-country botnet.”
Grey Noise concludes that “Several factors suggest this activity is originating from one botnet:”
To defend RDP services from botnet attacks, restrict access using VPNs or firewalls, enforce MFA and strong passwords, enable Network Level Authentication, and keep systems patched. Monitor login attempts for anomalies, use EDR or fail2ban to block brute-force activity, and limit RDP exposure to essential, time-bound access only.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RDP)
