Russian state-sponsored and aligned threat groups are increasingly combining Remote Desktop Protocol (RDP), Virtual Private Networks (VPNs), supply chain compromise, and sophisticated social engineering to gain initial access to targeted networks across government, critical infrastructure, and commercial sectors.
This multi-vector approach allows them to bypass perimeter defenses, blend in with legitimate traffic, and maintain long-term persistence for espionage and disruptive operations.
Russian operators continue to abuse exposed remote access services, such as RDP and VPN gateways, to gain an initial foothold, often using brute-force and credential-stuffing attacks against poorly secured endpoints.
Once valid credentials are obtained, attackers log in over RDP or VPN as legitimate users, making early-stage intrusion traffic difficult to distinguish from normal remote work activity.
In parallel, Russian clusters have been observed targeting VPN and edge devices with password-guessing and exploitation of unpatched vulnerabilities, exploiting the fact that monitoring on these appliances is often limited compared to traditional endpoints.
Russian-linked advanced persistent threat (APT) groups are also investing heavily in supply chain attacks to bypass hardened front-line defenses.
By compromising software suppliers, managed service providers, or smaller regional partners, they can push malicious updates or abuse trusted network interconnections to move into high-value targets with minimal direct exposure.
CERT and vendor reporting from 2024–2025 describe operations in which subclusters associated with Russian military intelligence targeted supplier companies in multiple European countries, delivering malicious documents that exploited zero-day or recently disclosed vulnerabilities.
According to rnbo research, campaigns where malicious RDP configuration files are delivered via spear-phishing emails; when opened, these files automatically connect victims to attacker-controlled servers, granting remote desktop access without obvious malware execution.
These intrusions often aim at IT service providers, logistics partners, or cloud-hosted business applications, giving attackers privileged access paths into multiple downstream customers from a single compromise.
RDP, VPNs, Supply Chains Exploited
Social engineering remains a primary initial access vector, with Russian groups using spear phishing, OAuth, and device-code phishing, and messaging-app abuse to steal credentials and multi-factor tokens.
Campaigns documented in 2025 include phishing that targets Microsoft 365 OAuth workflows and device-code flows, tricking users into granting attacker-controlled applications persistent access to mailboxes and cloud data without ever entering a password on a suspicious site.
Researchers have also observed Russian actors abusing secure messaging platforms such as Signal and other encrypted apps by sending malicious QR codes that silently link a victim’s account to attacker devices, enabling real-time message interception and account takeover.
Combined with classic spear-phishing lures and impersonation of trusted organizations, this enables attackers to harvest credentials, bypass MFA in some scenarios, and then pivot into RDP, VPN, or cloud admin consoles using stolen sessions.
Defenders are advised to harden remote access services with mandatory MFA, strict network segmentation, and continuous monitoring for anomalous RDP and VPN logins, particularly from new locations or devices.
Organizations should also strengthen supplier risk management, apply rapid patching for edge and VPN devices, and deploy robust anti-phishing controls, including user education focused on OAuth/device-code consent prompts and QR-code–based social engineering.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
