![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![GrandChase tier list of the best characters available [April 2025]](https://media.pocketgamer.com/artwork/na-33057-1637756796/grandchase-ios-android-3rd-anniversary.jpg?#)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.webp?#)
![New Beats USB-C Charging Cables Now Available on Amazon [Video]](https://www.iclarified.com/images/news/97060/97060/97060-640.jpg)
![Apple M4 13-inch iPad Pro On Sale for $200 Off [Deal]](https://www.iclarified.com/images/news/97056/97056/97056-640.jpg)
Hackers Exploiting Windows .RDP Files For Rogue Remote Desktop Connections
In a sophisticated espionage campaign targeting European government and military institutions, hackers believed to be connected with Russian state actors have been utilizing a lesser-known feature of Windows Remote Desktop Protocol (RDP) to infiltrate systems. The Google Threat Intelligence Group (GTIG) has identified this new wave of cyber attacks and attributed them to a group […] The post Hackers Exploiting Windows .RDP Files For Rogue Remote Desktop Connections appeared first on Cyber Security News.
.png?#)
In a sophisticated espionage campaign targeting European government and military institutions, hackers believed to be connected with Russian state actors have been utilizing a lesser-known feature of Windows Remote Desktop Protocol (RDP) to infiltrate systems.
The Google Threat Intelligence Group (GTIG) has identified this new wave of cyber attacks and attributed them to a group they refer to as UNC5837.
The campaign, which was observed starting in October 2024, employs a unique approach by sending phishing emails with .rdp file attachments. These files, once executed, initiate an RDP connection from the victim’s machine to an attacker-controlled server without the typical interactive session warning banners.
This method, described as “Rogue RDP” by GTIG, allows attackers to access the victim’s file systems, clipboard data, and potentially even system variables, all under the guise of a legitimate application check.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
The attackers, in collaboration with the Ukrainian State Secure Communications and Information Security Agency, sent emails purporting to be from prestigious organizations like Amazon and Microsoft.
Resource Redirection and RemoteApps
The emails contained signed .rdp files, signed with valid SSL certificates, to bypass security measures that would alert users to potential risks.
These files are configured to map resources from the victim’s machine to the attacker’s server: Once executed, the.RDP files enabled two critical attack vectors:
- Drive and Clipboard Redirection: The configuration granted attackers read/write access to all victim drives, exposing file systems, environment variables, and clipboard data, including user-copied passwords. Virtual machine setups compounded the risk, as clipboard synchronization between host and guest systems expanded the theft surface.
- Deceptive RemoteApps: Instead of full desktop access, victims saw a windowed application named “AWS Secure Storage Connection Stability Test.” Hosted entirely on attacker servers, this RemoteApp masqueraded as a local tool while operating within the RDP session’s encrypted channel.
Notably, the attackers leveraged Windows environment variables (%USERPROFILE%, %COMPUTERNAME%) as command-line arguments to the RemoteApp, enabling reconnaissance without deploying malware.
The use of these features reduces the attack’s footprint, making it harder for incident responders to detect and analyze the breach.
GTIG also highlighted the potential use of an RDP proxy tool like PyRDP, which could automate tasks such as file exfiltration, clipboard capture, or session hijacking.
While direct evidence linking PyRDP to this particular campaign is lacking, its capabilities match the observed attack vectors:
- Stealing credentials used to authenticate to RDP servers.
- Capturing user’s clipboard content, which might include sensitive information like passwords.
- Command execution on the RDP server, although not directly on the victim’s machine.
Defensive Measures:
Detection remains difficult due to limited native logging. Key indicators include:
- Registry Artifacts: Attacker IPs and usernames in
HKEY_USERS\...\Terminal Server Client\Servers - Temporary Files: MSTSC-generated .tmp files in
%APPDATA%\Local\Temp - Suspicious Processes: File writes originating from mstsc.exe1
To mitigate risks, Microsoft recommends:
- Enforcing Network Level Authentication (NLA) for RDP connections
- The discovery of this campaign underscores the need for organizations to strengthen their defenses: Blocking .RDP files from untrusted publishers via Group Policy
Disabling drive redirection and restricting Clipboard access
- Organizations should disable execution of unsigned .rdp files and only allow connections from trusted publishers.
- Enhanced logging and monitoring for unusual file creation events originating from RDP sessions can help detect this type of intrusion.
- Users should be trained to recognize and safely handle suspicious email attachments, particularly .rdp files from unknown sources.
As technologies like RDP evolve, so do the tactics of cybercriminals. The deployment of tools like PyRDP in potential attacks highlights a growing trend where attackers leverage existing system capabilities for stealthy, persistent access, making the continuous update of security practices imperative for all organizations.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post Hackers Exploiting Windows .RDP Files For Rogue Remote Desktop Connections appeared first on Cyber Security News.
.png?#)
