The 21 Phantom Servers: How a Tiny Botnet Just Hijacked Global RDP Reconnaissance

A diminutive cluster of servers has managed, in a matter of mere hours, to redraw the conventional cartography of internet reconnaissance. According to data from GreyNoise, a scant twenty-one IP addresses orchestrated nearly half of the global RDP scanning influx, and at the zenith of this activity, they accounted for a staggering two-thirds of all such maneuvers. This precipitous surge was swiftly succeeded by an almost absolute tranquility, yet it is precisely this volatility that renders the episode so remarkable.

GreyNoise recorded that on April 7, 2026, these twenty-one addresses generated 1.86 million RDP Crawler sessions, representing 67.4% of the global volume for this specific activity. Within the broader window from April 5 to April 7, the contribution of this cohort stood at 49.7%. By comparison, the remainder of the internet required 3,644 individual sources to produce a commensurate volume during the same interval.

The focus lies on RDP (Remote Desktop Protocol), the standard for remote access to Windows environments. Adversaries engage in mass scanning to identify externally accessible nodes, often transitioning to brute-force credential attacks upon discovering an open service. For corporate infrastructures, this vector has long persisted as one of the most perilous vulnerabilities; thus, the concentration of such scanning power within so few addresses is highly anomalous.

All twenty-one IP addresses reside within the autonomous system AS213438, associated in RIPE WHOIS with ColocaTel Inc. The address space is primarily concentrated in the Netherlands, specifically within the regions of Amsterdam and Lelystad. GreyNoise observed that the activity emanated largely from four /24 network blocks. Within twenty-four hours, the traffic volume within AS213438 swelled approximately eleven-fold—escalating from 180,000 to over 2 million sessions—before suffering a near-instantaneous collapse. By April 8, the influx had withered by 99.9%, and by April 9, RDP scanning from this group had vanished entirely.

GreyNoise witnessed a strikingly similar paradigm in March, when AS213438 abruptly amplified its volume to become one of the most prominent sources of scanning before falling silent. In April, the scenario repeated almost symmetrically, albeit with a narrower specialization. Approximately 85% of the activity in the recent spike was attributed specifically to RDP Crawlers; when combined with other RDP-related markers, that proportion rose to roughly 88%.

A significant geopolitical shift accompanied this activity. While Romania has historically been regarded as a primary source of RDP scanning, leadership briefly transitioned to the Netherlands in early April. The Dutch share surged from 7.17% to 53.86%, while the Romanian contribution receded from 29.89% to 15.78%. Notably, Romanian volume did not plummet; rather, the Dutch segment expanded with such velocity that it fundamentally altered the global landscape.

GreyNoise explicitly emphasizes that it does not attribute this activity to a specific threat actor, nor does it draw conclusions regarding the successful compromise of actual systems. The firm’s sensors merely perceive the incoming tide of scanning, brute-force attempts, and analogous actions across the public internet. Nevertheless, the “surge-collapse-pause-repeat” model serves as a profound signal for defenders, particularly for organizations maintaining exposed RDP access points.