Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities. Author: AlienVault
Related Tags:
RogueRDP
Python Remote Desktop Protocol MITM tool (PyRDP)
Midnight Blizzard
T1584.001
apt29
Netherlands
T1583.001
spear-phishing
data exfiltration
Associated Indicators:
F357D26265A59E9C356BE5A8DDB8D6533D1DE222AAE969C2AD4DC9C40863BFE8
648AFCC709AC18C4FE235D24BF51A8230E9700B97C3DCC0A739816966F2B58B6
50BED47064E4ECD01C4A9271E63AF7CFDF52EA4096F205470E41EEF7EB01C1E1
A246253FAB152DEAC89B895A7C1BCA76498B4AA044C907559C15109C1187A448
36E45FDEBA3FDB3708FB1C2602C30CB5B66FBC5EA790F0716390D9F69C363542
F32FA0E3902A1F287280E2E6DDCBFE4FC0A47F1FA5DDB5E04A7651C51343621E
zoom-meeting.pro
ua-mil.cloud
backupify.cloud