CyberSecurityBoard
Sponsor Register Login

Hackers Exploiting Windows .RDP Files For Rogue Remote Desktop Connections

This method, described as “Rogue RDP” by GTIG, allows attackers to access the victim’s file systems, clipboard data, and potentially even system variables, all under the guise of a legitimate application check. The deployment of tools like PyRDP in potential attacks highlights a growing trend where attackers leverage existing system capabilities for stealthy, persistent access, making the continuous update of security practices imperative for all organizations. Drive and Clipboard Redirection: The configuration granted attackers read/write access to all victim drives, exposing file systems, environment variables, and clipboard data, including user-copied passwords. Deceptive RemoteApps: Instead of full desktop access, victims saw a windowed application named “AWS Secure Storage Connection Stability Test.” Hosted entirely on attacker servers, this RemoteApp masqueraded as a local tool while operating within the RDP session’s encrypted channel. In a sophisticated espionage campaign targeting European government and military institutions, hackers believed to be connected with Russian state actors have been utilizing a lesser-known feature of Windows Remote Desktop Protocol (RDP) to infiltrate systems. The attackers, in collaboration with the Ukrainian State Secure Communications and Information Security Agency, sent emails purporting to be from prestigious organizations like Amazon and Microsoft. GTIG also highlighted the potential use of an RDP proxy tool like PyRDP, which could automate tasks such as file exfiltration, clipboard capture, or session hijacking. The emails contained signed .rdp files, signed with valid SSL certificates, to bypass security measures that would alert users to potential risks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Notably, the attackers leveraged Windows environment variables (%USERPROFILE%, %COMPUTERNAME%) as command-line arguments to the RemoteApp, enabling reconnaissance without deploying malware.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 02:25:08 +0000


Cyber News related to Hackers Exploiting Windows .RDP Files For Rogue Remote Desktop Connections

How To Protect RDP From Ransomware Attacks - RDP is common across businesses now that roughly half of all Americans can work at least part time from home. Employees can keep their work computers in the office but use them from their home devices through RDP. How Cybercriminals Target RDP As ...
1 year ago Feeds.dzone.com
Rogue AI: What the Security Community is Missing | Trend Micro (US) - Are threat actors, or Malicious Rogue AI, targeting your AI systems to create subverted Rogue AI? Are they targeting your enterprise in general? And are they using your resources, their own, or a proxy whose AI has been subverted. The truth is that ...
9 months ago Trendmicro.com
The Virtual Desktop Revolution: Redefining Work an - A virtual desktop, also referred to as a virtual desktop infrastructure, is a virtualized computing environment that enables users to remotely access and control their desktops from any device with an internet connection. A user who logs in is given ...
1 year ago Feeds.dzone.com
Hackers Exploiting Windows .RDP Files For Rogue Remote Desktop Connections - This method, described as “Rogue RDP” by GTIG, allows attackers to access the victim’s file systems, clipboard data, and potentially even system variables, all under the guise of a legitimate application check. The deployment of ...
3 months ago Cybersecuritynews.com
New Forensic Technique Uncovers Hidden Trails Left by Hackers Exploiting RDP - Forensic tools reconstruct attacker screen activity from thousands of 64x64 pixel bitmap fragments stored in RDP cache files, revealing viewed files and commands. Investigators identify RDP attackers through Windows Event IDs 4624/4625 and unique ...
20 hours ago Cybersecuritynews.com
Microsoft fixes Remote Desktop issues caused by Windows updates - "After installing the January 2025 Windows preview update (KB5050094) and later updates, users might experience unexpected disconnections with Remote Desktop Protocol (RDP) sessions, including Remote Desktop Services (RDS)," the company said in a ...
3 months ago Bleepingcomputer.com
CVE-2024-56547 - In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix missed RCU barrier on deoffloading Currently, running rcutorture test with torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 ...
6 months ago Tenable.com
Windows Remote Desktop Vulnerability Let Attackers Execute Malicious Code Over Network - These Remote Desktop vulnerabilities were among 72 flaws addressed in Microsoft’s May Patch Tuesday, which also fixed five actively exploited zero-day vulnerabilities, including issues in Windows DWM Core Library, Windows Common Log File System ...
2 months ago Cybersecuritynews.com CVE-2025-29966
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
New Remote Desktop Puzzle Let Hackers Exfiltrate Sensitive Data From Organization - “The RDP bitmap cache is a witness to remote desktop interactions, providing insights into past activities,” Pen Test Partners said to Cyber Security News. In a recent case study, Pen Test Partners investigated a data breach where an ...
2 months ago Cybersecuritynews.com
Kimusky Hackers Exploiting RDP & MS Office Vulnerabilities in Targeted Attacks - A sophisticated Advanced Persistent Threat (APT) operation named Larva-24005, linked to the notorious Kimsuky threat group, has been discovered actively exploiting critical vulnerabilities in Remote Desktop Protocol (RDP) and Microsoft Office ...
2 months ago Cybersecuritynews.com Equation Kimsuky CVE-2019-0708
Microsoft: Recent Windows updates cause Remote Desktop issues - "After installing the January 2025 Windows preview update (KB5050094) and later updates, users might experience unexpected disconnections with Remote Desktop Protocol (RDP) sessions, including Remote Desktop Services (RDS)," the company said in a new ...
3 months ago Bleepingcomputer.com
Windows 11 January 2025 Preview Update Disconnects Remote Desktop Sessions - Microsoft’s January 2025 Windows preview update (KB5050094) for Windows 11 version 24H2 has caused significant issues with Remote Desktop Protocol (RDP) sessions, including Remote Desktop Services (RDS). The policy, named “Windows 11 24H2 ...
3 months ago Cybersecuritynews.com
Microsoft Warns of New StilachiRAT Stealing Remote Desktop Protocol Sessions Data - Microsoft has issued an urgent security advisory regarding a newly discovered malware strain called StilachiRAT, which specifically targets and exfiltrates data from Remote Desktop Protocol (RDP) sessions. Microsoft recommends organizations implement ...
3 months ago Cybersecuritynews.com
5 Lessons Learned from Windows Remote Desktop Honeypot Report - Recently, the SANS Institute released their annual Windows Remote Desktop Honeypot Report, providing comprehensive insights into the nature of malicious activity in a Windows environment. In order to understand how your own Windows network can be ...
2 years ago Bleepingcomputer.com
Overcoming Technical Barriers in Desktop and Application Virtualization - As organizations increasingly embrace remote and hybrid work, desktop and application virtualization have become essential strategies for ensuring flexibility, scalability, and security. TruGrid SecureRDP provides a secure, scalable, and ...
6 days ago Bleepingcomputer.com
Google Threat Intelligence Launches Actionable Technique To Hunt for Malicious .Desktop Files - xfce_desktop_window” (behavior_processes:” ; or (behavior_processes:”http” behavior_processes:”.pdf”))Expands detection by combining XFCE environment detection with behaviors involving Google Drive or other ...
2 months ago Cybersecuritynews.com
Getting a Remote Desktop Freeze? Microsoft Fixes Windows 11 Issue - Microsoft has released a patch to fix the Remote Desktop freeze bug in Windows 11. This bug caused computers to freeze after some users tried to connect using the Remote Desktop protocol. Microsoft's technical support team has been working on the ...
2 years ago Bleepingcomputer.com
Windows 11 to let admins mandate SMB encryption for outbound connections - Windows 11 will let admins mandate SMB client encryption for all outbound connections, starting with today's Windows 11 Insider Preview Build 25982 rolling out to Insiders in the Canary Channel. SMB encryption provides data end-to-end encryption and ...
1 year ago Bleepingcomputer.com
Recent Windows Server 2025 updates cause Remote Desktop freezes - ​Microsoft says a known issue is causing Remote Desktop freezes on Windows Server 2025 systems after installing security updates released since the February 2025 Patch Tuesday. "After installing the February 2025 Security update ...
3 months ago Bleepingcomputer.com
CVE-2012-0002 - The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which ...
4 years ago
Hackers Exploiting Domain Controller to Deploy Ransomware Using RDP - Attackers likely breached the network via a vulnerable VPN, using Mimikatz to steal credentials (caught by Microsoft Defender for Endpoint, which blocked the initial account, User 1). Microsoft has recently uncovered a sharp rise in ransomware ...
3 months ago Cybersecuritynews.com CVE-2019-0708
Microsoft drops SMB1 firewall rules in new Windows 11 build - Windows 11 will no longer add SMB1 Windows Defender Firewall rules when creating new SMB shares starting with today's Canary Channel Insider Preview Build 25992 build. Before this change and since Windows XP SP2, creating SMB shares set up firewall ...
1 year ago Bleepingcomputer.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
2 years ago Hackread.com
Microsoft fixes Remote Desktop freezes caused by Windows updates - Today, Microsoft announced that a long-standing bug causing blue screen errors and installation issues on Windows Server 2025 systems with over 256 logical processors was resolved in updates released since the KB5046617 cumulative update issued ...
2 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)