Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Multi-country botnet RDP reconnaissance campaign targeting U.S. services

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A multi-country botnet launched a large-scale RDP reconnaissance campaign against U.S. services, using timing attacks and login enumeration to infer valid accounts. The activity began on October 8 and involved traffic from more than 100,000 IP addresses, making it a broad and distributed operation. Researchers linked the source infrastructure to more than 100 countries, indicating a coordinated botnet rather than isolated probing. The behavior increases the risk of account discovery and follow-on access attempts against exposed RDP endpoints.

Related Happenings

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Target Trend
First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Open Happening

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First: 18.12.2025 06:10 Last: 18.12.2025 06:10 Sources 1

About this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...

Open Happening

Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign

Campaign
First: 06.12.2025 17:18 Last: 06.12.2025 17:18 Sources 1

About this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...

Open Happening

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First: 20.11.2025 19:08 Last: 20.11.2025 19:08 Sources 1

About this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...

Open Happening

GreyNoise sees 500% surge in scanning against Palo Alto Networks login portals

Target Trend
First: 06.10.2025 13:00 Last: 06.10.2025 13:00 Sources 1

About this happening: **GreyNoise** says **Palo Alto Networks GlobalProtect** VPN login portals saw a **40x surge** in malicious scanning beginning **November 14, 2025**, reaching a **90-day high** wit...

Open Happening

Timeline

  1. 13.10.2025 21:05 2 articles · 7mo ago

    Multi-country botnet begins RDP reconnaissance against U.S. services

    Campaign Scope Update

    A multi-country botnet begins large-scale probing of Remote Desktop Protocol (RDP) services in the United States from more than 100,000 IP addresses, using RD Web Access timing attacks and RDP web client login enumeration to infer valid usernames and enumerate user accounts.

    Show sources
    Open in new tab
  2. 13.10.2025 21:05 1 articles · 7mo ago

    GreyNoise identifies the RDP botnet and its distributed footprint

    Initial Disclosure

    GreyNoise identifies a large-scale botnet targeting Remote Desktop Protocol (RDP) services in the United States and links the activity to an unusual traffic spike from Brazil followed by activity from Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador. The botnet relies on RD Web Access timing attacks and RDP web client login enumeration to infer valid usernames and enumerate user accounts.

    Show sources
    Open in new tab