Tag: rdp

18 Attack Reports | 0 Vulnerabilities

Attack reports

Unmasking an Attack Chain of MuddyWater

An intrusion attributed to MuddyWater, an Iranian-linked APT, was identified in a customer environment. The attack involved initial access through RDP, establishing an SSH tunnel, and deploying malware via DLL side-loading. The threat actor used FMAPP.exe, a legitimate Fortemedia Inc. application, …
apt
rdp
dll side-loading
ssh tunnel
2026-03-07
fmapp.dll
iranian
Published: March 7, 2026
Downloadable IOCs: 5

Nefilim Ransomware

Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim …
ransomware
encryption
credential theft
lateral movement
rdp
data exfiltration
CVE-2019-19781
nefilim
2026-02-24
aes-128
citrix
CVE-2019-11634
nemty
netwalker
Published: February 24, 2026
Downloadable IOCs: 14

Apache ActiveMQ Exploit Leads to LockBit Ransomware

A threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server, gaining initial access and later returning after being evicted. The attacker used Metasploit for post-exploitation activities, including privilege escalation, credential access, and lateral movement. Upon regaining access…
ransomware
lockbit
credential theft
lateral movement
rdp
metasploit
CVE-2023-46604
apache activemq
2026-02-23
Published: February 23, 2026
Downloadable IOCs: 3

Cat's Got Your Files: Lynx Ransomware

A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed An…
ransomware
lateral movement
rdp
backup deletion
data exfiltration
lynx ransomware
credential abuse
2025-11-17
network reconnaissance
Published: November 17, 2025
Downloadable IOCs: 7

Kawabunga, Dude, You've Been Ransomed!

A new ransomware variant called KawaLocker (KAWA4096) was recently observed in an attack. The threat actor gained initial access via RDP using a compromised account and employed various tools to disable security measures. HRSword, a monitoring tool, was deployed along with kernel drivers sysdiag.sy…
ransomware
encryption
rdp
psexec
kawa4096
2025-08-15
hrsword
kawalocker
Published: August 15, 2025
Downloadable IOCs: 5

Getting to the Crux (Ransomware) of the Matter

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. …
ransomware
rclone
rdp
svchost
data exfiltration
process injection
2025-07-21
bcdedit
crux
Published: July 21, 2025
Downloadable IOCs: 3

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery…
ransomware
credential theft
lateral movement
rdp
ransomhub
mimikatz
data exfiltration
password spray
living-off-the-land
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 9

Ransomware Initial Access Brokers Exposed

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's …
ransomware
credential harvesting
rdp
vpn
blacksuit
infrastructure
brute force
initial access brokers
2025-04-11
hive
domain enumeration
Published: April 11, 2025
Downloadable IOCs: 0

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…
ransomware
lockbit
exfiltration
credential theft
lateral movement
rdp
CVE-2023-22527
confluence
2025-02-24
Published: February 24, 2025
Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 15

Play Ransomware impersonates SentinelOne for stealth recon

A Play ransomware attack involving a reconnaissance tool called Grixba was detected and prevented. The attack began with the deployment of Grixba via RDP to a Windows server. The Grixba file was disguised as legitimate SentinelOne software, a new tactic for the group. Grixba is an obfuscated .NET-b…
obfuscation
ransomware
.net
rdp
reconnaissance
grixba
play
2025-01-17
sentinelone impersonation
xor encryption
Published: January 17, 2025
Downloadable IOCs: 4

Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger)

The Andariel group has been targeting various South Korean software solutions, particularly asset management and document management systems. Recent attacks involve the installation of SmallTiger malware, often through exploiting vulnerabilities in outdated software versions. In asset management so…
south korea
rdp
smalltiger
keylogger
web shell
2024-12-31
modeloader
document management
asset management
Published: December 31, 2024
Downloadable IOCs: 5

Unwrapping the emerging Interlock ransomware attack

A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily mo…
rat
ransomware
azure
rdp
keylogger
double-extortion
rhysida
2024-11-07
credential-stealer
interlock
Published: November 7, 2024
Downloadable IOCs: 2

Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Z…
backdoor
phishing
russia
campaign
rdp
2024-10-30
remote desktop
apt29
midnight blizzard
unc2452
cozy bear
hustlecon
Published: October 30, 2024
Downloadable IOCs: 281

Unauthorized RDP Connections For Cyberespionage Operations

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative acc…
powershell
persistence
credential theft
cyberespionage
rdp
multi-stage attack
uac bypass
2024-10-26
bat scripts
chromepass
Published: October 26, 2024
Downloadable IOCs: 0

Malicious RDP Files Identified in Latest Attack on Ukrainian Entities

CERT-UA has uncovered a new malicious email campaign targeting Ukrainian government agencies, enterprises, and military entities. The campaign uses RDP configuration files to establish remote connections, enabling data theft and further malware deployment. Attributed to UAC-0215 and linked to APT29…
phishing
apt28
ukraine
rdp
aws
2024-10-26
uac-0218
uac-0215
domain seizure
homesteel
cert-ua
Published: October 26, 2024
Downloadable IOCs: 0

Aiming at domestic government and enterprises! Deeply revealed ransomware operator Rast gang

A new ransomware threat, dubbed Rast, has emerged targeting Chinese government and enterprises since December 2023. Written in Rust, Rast has infected over 6,800 terminals, successfully encrypting more than 5,700. The Rast gang, named after the ransomware, operates primarily between 20:00 and 05:00…
ransomware
china
government
rust
rdp
phobos
2024-09-30
globeimposter
mysql
gandcrab
buran
nday
rast
enterprises
Published: September 30, 2024
Downloadable IOCs: 21

Bondnet Using High-Performance Bots For C2 Server

Security researchers at ASEC have discovered that a threat actor is using high-performance bots to turn compromised systems into their central server (C2) servers, using tools such as the Cloudflare tunneling client.
rdp
2024-06-17
cloudflare
bot net
hfs
bondnet
Published: June 17, 2024
Downloadable IOCs: 27

Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors

This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
ransomware
coinminer
botnet
2024-06-06
rdp
phobos
havex
backdoor.oldrea
proxy
Published: June 6, 2024
Downloadable IOCs: 34
Click here to see more Attack Reports