Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft RDP US-only scan-wave campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated RDP scanning campaign hit Microsoft Remote Desktop Protocol services in two waves on Aug. 21 and Aug. 24, 2025, raising the risk of credential-based intrusions against exposed endpoints. The probes targeted RD Web Access and RDP Web Client authentication portals and came from nearly 2,000 IPs in the first surge and more than 30,000 in the second. Both waves were US-only, with the pattern pointing to possible interest in the education sector and a likely single operator or centrally controlled botnet. Organizations with exposed RDP should treat the activity as a warning sign for follow-on password spraying or credential stuffing.

Related Happenings

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First: 20.11.2025 19:08 Last: 20.11.2025 19:08 Sources 1

About this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...

Open Happening

Multi-country botnet RDP reconnaissance campaign targeting U.S. services

Campaign
First: 13.10.2025 21:05 Last: 13.10.2025 21:05 Sources 1

About this happening: A **multi-country botnet** launched a **large-scale RDP reconnaissance campaign** against **U.S. services**, using **timing attacks** and **login enumeration** to infer valid acco...

Open Happening

GreyNoise sees 500% surge in scanning against Palo Alto Networks login portals

Target Trend
First: 06.10.2025 13:00 Last: 06.10.2025 13:00 Sources 1

About this happening: **GreyNoise** says **Palo Alto Networks GlobalProtect** VPN login portals saw a **40x surge** in malicious scanning beginning **November 14, 2025**, reaching a **90-day high** wit...

Open Happening

Palo Alto Networks login portal scanning surged nearly 500% in one day

Target Trend
First: 04.10.2025 13:39 Last: 04.10.2025 13:39 Sources 1

About this happening: A **nearly 500% surge** in scanning against **Palo Alto Networks login portals** on **October 3, 2025** signaled a sharp jump in reconnaissance against enterprise access surfaces....

Open Happening

Akira SonicWall SSL VPN MFA-bypass campaign

Campaign
First: 28.09.2025 21:49 Last: 28.09.2025 21:49 Sources 1

About this happening: **Akira-affiliated** actors are causing **widespread compromise** of **SonicWall SSL VPN devices**, with Huntress reporting activity that began on **October 4, 2025** and impacted...

Latest development: 11.10.2025 16:30

Huntress warned that Akira-affiliated threat actors rapidly authenticated into multiple accounts across compromised SonicWall SSL VPN devices, affecting more than 100 accounts across 16 customer environments and beginning on October 4, 2025. In some cases the actors disconnected after a short time, while in others they performed network scanning and attempted to access local Windows accounts; authentications on the SonicWall devices originated from 202.155.8[.]73 and appeared to rely on valid credentials rather than brute force.

Open Happening

Timeline

  1. 26.08.2025 22:56 1 articles · 9mo ago

    Aug. 21 RDP scan wave against Microsoft services

    Campaign Scope Update

    GreyNoise flagged a malicious RDP scanning wave on Aug. 21 against Microsoft Remote Desktop Protocol services, with nearly 2,000 IP addresses probing Microsoft RD Web Access and Microsoft RDP Web Client authentication portals. The activity was overwhelmingly from known malicious IPs, far above GreyNoise's usual three-to-five-IP daily baseline, and it targeted US endpoints in a way that suggested preparation for credential-based intrusions.

    Show sources
    Open in new tab
  2. 26.08.2025 22:56 1 articles · 9mo ago

    Aug. 24 follow-on RDP scan wave

    Campaign Scope Update

    Researchers identified a second, more massive RDP scanning wave on Aug. 24 against Microsoft Remote Desktop Protocol services. The follow-on activity reinforced the assessment that the scans were part of a targeted campaign focused on US endpoints and exposed RDP infrastructure.

    Show sources
    Open in new tab
  3. 26.08.2025 22:56 1 articles · 9mo ago

    GreyNoise discloses malicious RDP scan campaign

    Initial Disclosure

    GreyNoise's public disclosure described Microsoft Remote Desktop Protocol services as having been hit with malicious scans from tens of thousands of IP addresses in recent days and warned that the pattern could precede a future zero-day vulnerability. Stone said the scans could enable password spraying or credential stuffing against exposed RDP endpoints, and that the US-only targeting could especially affect education organizations during the back-to-school window.

    Show sources
    Open in new tab