GreyNoise Intelligence has raised alarms regarding an extensive botnet operation directed at Remote Desktop Protocol (RDP) services throughout the United States. Since October 8, 2025, researchers have been monitoring over 100,000 unique IP addresses hailing from more than 100 nations, all honing in on U.S.-based RDP endpoints. This campaign, appearing to be centrally orchestrated, showcases a disturbing trend in cybersecurity.
Analysts at GreyNoise describe the operation as being both multi-country and highly coordinated. They noted that almost all systems involved exhibit a consistent technical profile. The campaign actively exploits two main RDP attack vectors: the Microsoft RDP Web Client Login Enumeration Check and the Microsoft RD Web Access Anonymous Authentication Timing Attack Scanner.
Researchers highlighted that “most participating IPs share one similar TCP fingerprint, indicating centralized control,” which solidifies their concerns regarding the botnet's management.
The findings from the report outline the campaign's scale and complexity, presenting critical information that demands attention:
- Confidence level: High — indicating a strong belief in the botnet's multi-country origins, - Attack signatures: Uniform TCP fingerprints with minor variations in Maximum Segment Size (MSS), - Primary target: U.S. RDP infrastructure, - Countries involved: Over 100, including notable contributors such as Brazil, Argentina, Iran, China, Mexico, Russia, and South Africa, - Scale: Involvement of over 100,000 IPs.
The campaign came to light following an uptick in RDP-related traffic detected from Brazilian IP addresses. GreyNoise's investigative team stated, “The botnet was discovered after GreyNoise detected an unusual spike in Brazilian IP space this week, which prompted investigation into broader traffic patterns.” This initial observation led researchers to uncover correlated traffic increases across various regions, suggesting that the Brazilian spike was a mere piece of a much larger and intricately planned operation.
Championship Implications
Championship Implications
Championship Implications
The researchers further underscored that the uniformity in TCP fingerprints coupled with similar attack patterns across such geographically varied systems points towards a singular, centrally controlled botnet infrastructure. As they reported, “almost all traffic shared one similar TCP fingerprint, with only the MSS changing,” and the timing of the targeting indicated a high degree of coordination.
This distinctly uniform pattern of attack behavior across the globe raises speculation about the botnet's potential utilization of compromised servers or IoT devices to automate the RDP probing and enumeration activities. While no specific malware has been associated with this operation yet, the deliberate precision and synchronization suggest there is active oversight by one or more operators.
GreyNoise reached a stark conclusion that “the elevated RDP targeting beginning this week is attributable to a multi-country botnet,” reinforcing that the simultaneous increases in attack traffic from various regions are no accident but rather a concerted global initiative.
As cybersecurity experts continue to monitor the developments, the scale and coordination of this botnet operation serve as pressing reminders for organizations to fortify their RDP defenses and remain vigilant against evolving threats in the digital landscape. The implications of this attack extend beyond immediate concerns, indicating a potential shift in the tactics employed by cyber adversaries worldwide.