Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations

Description

RedVDS, a virtual dedicated server provider, has been utilized by multiple financially motivated threat actors for business email compromise, phishing, account takeover, and financial fraud. The service offers inexpensive Windows-based RDP servers with full administrator control, attracting cybercriminals worldwide. Microsoft's investigation revealed a global network targeting multiple sectors across various countries. RedVDS uses a single, cloned Windows host image, leaving unique technical fingerprints. The service operates through cryptocurrency payments and supports various digital currencies. Microsoft's analysis uncovered the infrastructure, provisioning methods, and tools deployed on RedVDS hosts, including mass mailers, email harvesters, privacy tools, and automation scripts.