Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

SUMMARY :

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.

OPENCTI LABELS :

data exfiltration,apt29,spear-phishing,midnight blizzard,python remote desktop protocol mitm tool (pyrdp),roguerdp,tor exit nodes


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks