Overview of coordinated RDP scanning campaign

A large-scale scanning campaign is actively targeting Microsoft Remote Desktop Protocol (RDP) services, utilizing over 30,000 unique IP addresses to probe for vulnerabilities in Microsoft RD Web Access and RDP Web Client authentication portals. This operation marks one of the most extensive RDP reconnaissance efforts in recent years, indicating potential preparations for large-scale credential-based attacks.

Overview of coordinated RDP scanning campaignOverview of coordinated RDP scanning campaign

Attack Overview

The campaign began on August 21, 2025, with nearly 2,000 IP addresses targeting Microsoft RDP services. It escalated dramatically on August 24, with over 30,000 IPs conducting coordinated scans using identical client signatures, suggesting a sophisticated botnet or coordinated toolset.

Overview of coordinated RDP scanning campaignOverview of coordinated RDP scanning campaign

According to GreyNoise, the attackers employ timing-based authentication enumeration, exploiting subtle server response time differences to identify valid usernames without triggering brute-force detection. This stealthy approach allows them to compile target lists for future credential stuffing and password spraying attacks.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security