Massive RDP Botnet Unleashed: 100,000+ IPs in Coordinated Global Scanning Campaign Targeting US
Ddos 
GreyNoise Intelligence has issued an alert about a massive coordinated botnet operation targeting Remote Desktop Protocol (RDP) services across the United States. Since October 8, 2025, researchers have tracked more than 100,000 unique IP addresses originating from over 100 countries, all focusing on U.S.-based RDP endpoints in what appears to be a centrally controlled attack campaign.
GreyNoise analysts describe the ongoing operation as multi-country but highly synchronized, with a consistent technical fingerprint across nearly all participating systems. The campaign leverages two specific RDP attack vectors:
- Microsoft RD Web Access Anonymous Authentication Timing Attack Scanner
- Microsoft RDP Web Client Login Enumeration Check
Researchers note that “most participating IPs share one similar TCP fingerprint, indicating centralized control.”
The report’s key findings highlight the scope and precision of the campaign:
- Scale: Over 100,000 IPs involved
- Countries: 100+ including Brazil, Argentina, Iran, China, Mexico, Russia, and South Africa
- Primary target: U.S. RDP infrastructure
- Attack signatures: Uniform TCP fingerprints with minor MSS variations
- Confidence level: High — GreyNoise assesses the activity as part of a multi-country botnet
The campaign was first detected when GreyNoise noticed an unusual spike in RDP-related traffic originating from Brazilian IP space, prompting a deeper analysis. “The botnet was discovered after GreyNoise detected an unusual spike in Brazilian IP space this week, which prompted investigation into broader traffic patterns,” the report states.
Subsequent investigation revealed matching traffic surges across multiple countries, indicating that the Brazilian spike was only one part of a much larger, orchestrated operation.
GreyNoise researchers emphasize that the consistency of TCP fingerprints and attack patterns across geographically diverse systems suggests the use of a single, centrally controlled botnet infrastructure. The report notes that “almost all traffic shared one similar TCP fingerprint, with only the MSS changing,” and that “the timing and pattern of targeting implies coordinated activity with centralized control.”
This pattern of globally distributed yet technically identical attack behavior reinforces suspicions of a botnet leveraging compromised servers or IoT devices to automate RDP probing and enumeration. While no specific malware family has yet been attributed, the precision and synchronization indicate active management by one or more operators.
GreyNoise concludes that “the elevated RDP targeting beginning this week is attributable to a multi-country botnet,” emphasizing that the simultaneous rise in attack traffic from disparate regions is not coincidental but part of a coordinated global campaign.
Donate