CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RedVDS Cybercrime-as-a-Service Disrupted by Microsoft

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Microsoft, in coordination with legal partners in the US and UK, has disrupted RedVDS, a cybercriminal subscription service that facilitated phishing and fraud campaigns. RedVDS offered cheap, effective, and disposable virtual computers running unlicensed software, enabling cybercriminals to operate anonymously. The service caused over $40 million in losses in the US alone since March 2025, with nearly 190,000 organizations worldwide affected. RedVDS utilized AI to tailor phishing and business email compromise (BEC) scams, including deepfake videos and voice cloning to impersonate individuals. The disruption involved legal action in the US and UK, supported by international law enforcement, including Europol. Microsoft emphasized the importance of reporting cybercrime to prevent future attacks and protect potential victims. RedVDS operated since 2019 and rented servers from third-party hosting providers across multiple countries. The service was used for various malicious activities, including credential theft, account takeovers, and real estate payment diversion scams. In one month, cybercriminals using RedVDS sent an average of 1 million phishing messages per day to Microsoft customers alone, compromising nearly 200,000 Microsoft accounts over the last four months. RedVDS was advertised as a way to 'increase your productivity and work from home with comfort and ease.' The service was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019. RedVDS provided a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site. The service did not maintain activity logs, making it an attractive choice for illicit use. RedVDS was used to host a toolkit comprising both malicious and dual-use software, including mass spam/phishing email tools, email address harvesters, privacy and OPSEC tools, and remote access tools. RedVDS used a single Windows Server 2022 image to create cloned Windows instances, which were created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. RedVDS's Terms of Service prohibited customers from using the service for sending phishing emails, distributing malware, transferring illegal content, scanning systems for security vulnerabilities, or engaging in denial-of-service (DoS) attacks.

Timeline

  1. 14.01.2026 18:32 3 articles · 1d ago

    RedVDS Cybercrime-as-a-Service Disrupted by Microsoft

    On January 14, 2026, Microsoft, in coordination with legal partners in the US and UK, disrupted RedVDS, a cybercriminal subscription service that facilitated phishing and fraud campaigns. The service caused over $40 million in losses in the US alone since March 2025 and affected nearly 190,000 organizations worldwide. RedVDS used AI to tailor phishing and BEC scams, including deepfake videos and voice cloning. The disruption involved legal action and international law enforcement support. RedVDS operated since 2019 and rented servers from third-party hosting providers across multiple countries, including the US, UK, France, Canada, the Netherlands, and Germany. The service was used for various malicious activities, including credential theft, account takeovers, business email compromise (BEC) attacks, and real estate payment diversion scams. In one month, cybercriminals using RedVDS sent an average of 1 million phishing messages per day to Microsoft customers alone, compromising nearly 200,000 Microsoft accounts over the last four months. RedVDS was advertised as a way to 'increase your productivity and work from home with comfort and ease.' The service was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019. RedVDS provided a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site. The service did not maintain activity logs, making it an attractive choice for illicit use. RedVDS was used to host a toolkit comprising both malicious and dual-use software, including mass spam/phishing email tools, email address harvesters, privacy and OPSEC tools, and remote access tools. RedVDS used a single Windows Server 2022 image to create cloned Windows instances, which were created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. RedVDS's Terms of Service prohibited customers from using the service for sending phishing emails, distributing malware, transferring illegal content, scanning systems for security vulnerabilities, or engaging in denial-of-service (DoS) attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, also known as Moses Felix, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing laptops, mobile devices, and other digital equipment linked to the operation. The stolen data was used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

Open in new tab

TA415 (APT41) Abuses Velociraptor Forensic Tool for C2 Tunneling via Visual Studio Code

Unknown threat actors, identified as TA415 (APT41), deployed the open-source Velociraptor forensic tool to download and execute Visual Studio Code, likely for command-and-control (C2) tunneling. The attack leveraged legitimate software and Windows utilities to minimize malware deployment and maintain a foothold in the target environment. The attackers used Cloudflare Workers domains for staging and additional payloads, and the incident highlights the evolving tactics of threat actors using legitimate tools for malicious purposes. The attack began with the use of the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain. Velociraptor was then used to establish contact with another Cloudflare Workers domain, facilitating the download and execution of Visual Studio Code with tunneling capabilities. This allowed for remote access and code execution, potentially leading to further malicious activities such as ransomware deployment. The phishing campaign targeted US government, think tank, and academic organizations involved in US-China relations, economic policy, and international trade. The attackers impersonated the US-China Business Council and John Moolenaar, Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party. The phishing messages contained links to password-protected archives hosted on cloud services, which included a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script that downloaded the VSCode Command Line Interface (CLI) from Microsoft’s servers, created a scheduled task for persistence, and established a VS Code remote tunnel authenticated via GitHub. The script also collected system information and the contents of various user directories, sending it to the attackers. The script sent a VS Code remote tunnel verification code, allowing the attackers to access the victim’s computer remotely and execute arbitrary commands. The incident underscores the importance of monitoring for unauthorized use of legitimate tools and implementing robust endpoint detection and response systems to mitigate such threats.

Open in new tab

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy.

Open in new tab