Overview
- The operation has been active since October 8 and remains ongoing as of October 14, according to the latest reporting.
- Researchers first observed a surge from Brazil before similar probing appeared from Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and devices across more than 100 countries.
- The campaign uses RD Web Access timing attacks and RDP web client login enumeration to identify valid usernames without full authentication.
- Nearly all attacking IPs present the same TCP fingerprint, with Maximum Segment Size differences indicating clusters within a single botnet infrastructure.
- Defenders are urged to block observed sources, review logs for RDP probes, remove public RDP exposure, and require VPN plus multi-factor authentication, with no public attribution to a specific operator.