A coordinated attack campaign is underway, utilizing specific vectors such as RD Web Access timing attacks and RDP web client login enumeration, indicating control by a single entity.

Researchers from GreyNoise have identified a large-scale botnet comprising over 100,000 IP addresses from more than 100 countries, actively targeting RDP services in the United States since early October 2025.

The source countries for these attacks include Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador, underscoring the global reach of this threat.

Most attacking IPs share a similar TCP fingerprint, which suggests centralized control and confirms that the activity originates from a single botnet despite its wide geographical distribution.

To defend RDP services, experts recommend using VPNs or firewalls to restrict access, enforcing multi-factor authentication and strong passwords, enabling Network Level Authentication, and keeping systems patched.

Additional security measures include monitoring login attempts for anomalies, employing tools like EDR or fail2ban to block brute-force attacks, and limiting RDP exposure to essential, time-bound access.

GreyNoise assesses with high confidence that this activity is orchestrated by a single botnet, based on shared TCP fingerprint characteristics, timing patterns, and attack vectors.