A massive, coordinated botnet campaign is actively targeting Remote Desktop Protocol (RDP) services across the United States.
Security firm GreyNoise reported on October 8, 2025, that it has been tracking a significant wave of attacks originating from over 100,000 unique IP addresses spanning more than 100 countries.
The operation appears to be centrally controlled, with the primary objective of compromising RDP infrastructure, a critical component for remote work and administration.
The scale and organized nature of this campaign pose a significant threat to organizations that depend on RDP for their daily operations.
The investigation into this widespread attack began after GreyNoise analysts detected an anomalous spike in traffic from Brazilian-geolocated IPs.
This initial finding prompted a broader analysis, which quickly uncovered similar surges in activity from a multitude of countries, including Argentina, Iran, China, Mexico, Russia, and South Africa. Despite the diverse geographic origins, the attacks share a common target: RDP services within the United States.
Analysts are highly confident that this activity is the work of a single, large-scale botnet. This conclusion is supported by the fact that nearly all participating IPs share a similar TCP fingerprint. This technical signature suggests a standard, centralized command-and-control structure orchestrating the attacks.
The threat actors behind this campaign are employing two specific attack vectors to identify and compromise vulnerable systems.
The first is an RD Web Access timing attack, a method where attackers measure the server’s response time to login attempts to differentiate between valid and invalid usernames anonymously.
The second vector is an RDP web client login enumeration, which systematically attempts to guess user credentials. These methods allow the botnet to efficiently scan for and identify exploitable RDP access points without immediately triggering standard security alerts.
The synchronized use of these specific, non-trivial attack methods across such a vast number of nodes further points to a coordinated operation managed by a single operator or group.
Mitigations
In response to this ongoing threat, GreyNoise has released specific recommendations for network defenders. The firm advises organizations to check their security logs for any unusual RDP probing proactively or failed login attempts that match the patterns of this campaign.
For more direct protection, GreyNoise has created a dynamic blocklist template, named “microsoft-rdp-botnet-oct-25,” available through its platform.
This allows customers to automatically block all known IP addresses associated with this malicious botnet activity, effectively cutting off the attacks at the network perimeter.
Organizations that use RDP for remote work should check their RDP security. They need to enforce strong password policies and use multi-factor authentication whenever possible. This will help protect against large-scale hacking attempts, such as brute-force attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
