Massive RDP Botnet Unleashed: 100,000+ IPs in Coordinated Global Scanning Campaign Targeting US

Since the beginning of October, GreyNoise analysts have been tracking one of the largest and most coordinated waves of attacks targeting remote access services across the United States. According to their findings, since October 8, 2025, more than 100,000 unique IP addresses from over a hundred countries have been participating in an automated campaign aimed at compromising Remote Desktop Protocol (RDP) infrastructure. All active nodes display identical network characteristics, indicating centralized control through a unified botnet infrastructure.

The first signs of unusual activity appeared following a sharp spike in traffic originating from Brazil, which was soon mirrored by similar surges in Argentina, Iran, China, Mexico, South Africa, and several other nations. Despite the global distribution of sources, the overwhelming majority of attacks are directed exclusively at U.S.-based servers, suggesting a highly focused and meticulously synchronized campaign.

According to GreyNoise, the botnet operators employ two distinct techniques — RD Web Access Timing Attack and RDP Web Client Login Enumeration. In the first method, attackers analyze response time variations during anonymous authentication attempts to determine whether specific user accounts exist. The second involves mass enumeration of login attempts via the RDP web client to identify valid usernames. Both approaches serve as preliminary reconnaissance phases for password brute-forcing and system intrusion, without geographical restrictions.

Researchers noted that nearly all the observed traffic shares the same TCP fingerprint, differing only in the Maximum Segment Size (MSS) parameter, which varies depending on the specific infected device cluster. This consistency indicates the use of a standardized malware component and a centralized activation mechanism, orchestrating load balancing across countries and time zones. Thus, the operation is not a series of random scans but a deliberately coordinated network acting as a unified system.

Further analysis confirms that each IP address engaged in a complete three-way handshake with targeted hosts, ruling out accidental or false connections. It is highly probable that these infected machines belong to a multi-national botnet, coordinated through a shared command-and-control center. The shift from localized probing to global traffic distribution occurred within mere days — a clear indicator of advance planning and pre-deployment.

GreyNoise advises system administrators to scrutinize event logs for anomalies related to RDP connections or anonymous authentication attempts. The company also recommends monitoring for the tags “Microsoft RD Web Access Anonymous Authentication Timing Attack Scanner” and “Microsoft RDP Web Client Login Enumeration Check”, which are directly associated with this campaign.

The situation remains fluid. As new intelligence emerges, GreyNoise has pledged to release updated signatures and indicators of compromise, enabling more precise identification of involved hosts and reducing the risk of corporate system compromise.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy