RedVDS and Storm-2470 cybercrime-as-a-service platform scaling disposable Windows cloud servers
Threat Actor Meta
Summary
Hide ▲
Show ▼
The RedVDS cybercrime-as-a-service platform has been identified as a long-running underground service that let multiple criminal groups rent disposable Windows cloud servers with administrator control, increasing the scale and anonymity of phishing and fraud operations. The model matters because it turned hosting into a reusable criminal utility, lowering the barrier for Storm-0259, Storm-2227, Storm-1575, and Storm-1747 to run high-volume abuse.
Related Happenings
Black Basta rebranding of Conti in the ransomware ecosystem
Threat Actor Meta
First: 16.01.2026 21:00
Last: 16.01.2026 21:00
Sources 1
About this happening:
**Black Basta** is being described as a **rebranding of Conti**, underscoring how major ransomware crews can repackage personnel and infrastructure into new operations. That linea...
Black Basta rebranding of Conti in the ransomware ecosystem
Threat Actor MetaAbout this happening: **Black Basta** is being described as a **rebranding of Conti**, underscoring how major ransomware crews can repackage personnel and infrastructure into new operations. That linea...
RedVDS takedown with US, UK and Europol support
Law Enforcement
First: 14.01.2026 18:32
Last: 14.01.2026 18:32
Sources 1
How related:
Microsoft filed civil lawsuits in the United States and the United Kingdom, seizing malicious infrastructure and taking RedVDS's marketplace and customer portal offline as part of a broader international operation with Europol and German authorities.
About this happening:
**Microsoft** said it took **coordinated legal action** in the **U.S. and U.K.** to disrupt **RedVDS**, seizing **redvds[.]com** and related infrastructure with support from **Eur...
RedVDS takedown with US, UK and Europol support
Law EnforcementHow related: Microsoft filed civil lawsuits in the United States and the United Kingdom, seizing malicious infrastructure and taking RedVDS's marketplace and customer portal offline as part of a broader international operation with Europol and German authorities.
About this happening: **Microsoft** said it took **coordinated legal action** in the **U.S. and U.K.** to disrupt **RedVDS**, seizing **redvds[.]com** and related infrastructure with support from **Eur...
DeadLock ransomware uses Polygon smart contracts for proxy rotation
Malware Activity
First: 14.01.2026 16:20
Last: 14.01.2026 16:20
Sources 1
About this happening:
**DeadLock ransomware** is now using **Polygon smart contracts** to rotate **proxy server addresses**, making its **C2** infrastructure harder to block. The activity has been seen...
DeadLock ransomware uses Polygon smart contracts for proxy rotation
Malware ActivityAbout this happening: **DeadLock ransomware** is now using **Polygon smart contracts** to rotate **proxy server addresses**, making its **C2** infrastructure harder to block. The activity has been seen...
Microsoft security patch release for CVE-2026-20805
Security Patch Release
First: 14.01.2026 02:47
Last: 14.01.2026 02:47
Sources 1
About this happening:
**Microsoft** released January 2026 security updates for **Windows** and supported software, fixing **at least 113 vulnerabilities** and **8 critical flaws**. The release includes...
Microsoft security patch release for CVE-2026-20805
Security Patch ReleaseAbout this happening: **Microsoft** released January 2026 security updates for **Windows** and supported software, fixing **at least 113 vulnerabilities** and **8 critical flaws**. The release includes...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware Activity
First: 08.01.2026 19:30
Last: 08.01.2026 19:30
Sources 1
About this happening:
**GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware ActivityAbout this happening: **GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
Timeline
-
15.01.2026 09:11 2 articles · 4mo ago
Microsoft disrupts RedVDS cybercrime platform
Initial DisclosureMicrosoft disrupted RedVDS, a cybercrime-as-a-service platform linked to at least $40 million in reported U.S. losses since March 2025, and filed civil lawsuits in the United States and the United Kingdom that seized malicious infrastructure and took RedVDS's marketplace and customer portal offline in coordination with Europol and German authorities. Microsoft described RedVDS as a long-running service since 2019 that sold disposable Windows cloud servers through redvds[.]com, redvds[.]pro, and vdspanel[.]space, used a single cloned Windows Server 2022 image with the shared computer name WIN-BUNS25TD77J, rented hosting across the United States, the United Kingdom, France, Canada, the Netherlands, and Germany, and enabled phishing, credential theft, account takeovers, business email compromise, and real estate payment diversion; the action also involved H2-Pharma and the Gatehouse Dock Condominium Association, and Microsoft said RedVDS-enabled activity had led to compromise or fraudulent access of more than 191,000 organizations worldwide since September 2025.
Show sources
- Microsoft disrupts massive RedVDS cybercrime virtual desktop service — www.bleepingcomputer.com — 15.01.2026 09:11
- Microsoft Legal Action Disrupts RedVDS Cybercrime Infrastructure Used for Online Fraud — thehackernews.com — 15.01.2026 11:37