A new large-scale botnet has been detected that is attacking Remote Desktop Protocol (RDP) services in the United States, using more than 100,000 IP addresses. Analysts at GreyNoise report that the attacks began on October 8, 2025.
Researchers discovered this campaign after an unusual spike in traffic from Brazil, followed by similar activity from other regions, including Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador.
The full list of countries with compromised devices that are part of the botnet exceeds 100.
According to experts, the botnet uses two types of RDP attacks:
- timing attacks on RD Web Access — scanning RD Web Access endpoints and measuring differences in response time during anonymous authentication attempts to identify existing usernames;
- account enumeration via the RDP web client — attackers interact with the RDP Web Client login process and enumerate accounts by observing differences in server behavior and responses.
Almost all of the botnet’s IP addresses share a common TCP signature, and although there are differences in MSS (Maximum Segment Size), the researchers believe this is due to the clusters that make up the botnet. Overall, the timing and nature of the attacks indicate coordinated activity with centralized control.
To protect against such threats, administrators are advised to block the IP addresses from which the attacks originate and to review logs for signs of suspicious RDP scanning.