100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructure

GreyNoise has identified a large-scale coordinated botnet campaign targeting Remote Desktop Protocol (RDP) services across United States infrastructure. Beginning October 8, 2025, this operation utilizes over 100,000 unique IP addresses originating from more than 100 countries to launch brute-force attacks against exposed RDP endpoints. The sheer volume of source IPs suggests a distributed denial-of-service or credential stuffing intent aimed at gaining unauthorized initial access. While no specific threat actor or malware family has been publicly attributed to this campaign yet, the scale indicates a significant risk to organizational security postures relying on remote access services. Organizations are advised to immediately audit exposed RDP ports, enforce multi-factor authentication, and implement network-level authentication to mitigate brute-force attempts. Continuous monitoring of authentication logs is essential to detect successful compromise attempts amidst this high-volume noise.

Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States.

GreyNoise has identified a large-scale coordinated botnet campaign targeting Remote Desktop Protocol (RDP) services across United States infrastructure. Beginning October 8, 2025, this operation utilizes over 100,000 unique IP addresses originating from more than 100 countries to launch brute-force attacks against exposed RDP endpoints. The sheer volume of source IPs suggests a distributed denial-of-service or credential stuffing intent aimed at gaining unauthorized initial access. While no specific threat actor or malware family has been publicly attributed to this campaign yet, the scale indicates a significant risk to organizational security postures relying on remote access services. Organizations are advised to immediately audit exposed RDP ports, enforce multi-factor authentication, and implement network-level authentication to mitigate brute-force attempts. Continuous monitoring of authentication logs is essential to detect successful compromise attempts amidst this high-volume noise. Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States. Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States.