Russian hackers use RDP proxies to steal data in MiTM attacks

Share:

The Russian hacking group tracked as APT29 (aka “Midnight Blizzard”) is using a network of 193 remote desktop protocol proxy servers to perform man-in-the-middle (MiTM) attacks to steal data and credentials and to install malicious payloads.

The MiTM attacks utilized the PyRDP red team proxy tool to scan the victims’ filesystems, steal data in the background, and remotely execute rogue applications on the breached environment.

Trend Micro, which tracks the threat actors as ‘Earth Koshchei,’ reports that this campaign targets government and military organizations, diplomatic entities, IT and cloud service providers, and telecommunication and cybersecurity companies.

The domain names registered for the campaign suggest that APT29 targeted entities primarily in the U.S., France, Australia, Ukraine, Portugal, Germany, Israel, France, Greece, Turkey, and the Netherlands.

Using PyRDP for MitM attacks

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely access and control another computer over a network. It is commonly used for remote administration, technical support, and connecting to systems in enterprise environments.

In October 2024, Amazon and CERT-UA published reports confirming that APT29 is tricking victims into connecting to rogue RDP servers after running a file attached to phishing emails.

Once the connection is set up, local resources, including disks, networks, printers, the clipboard, audio devices, and COM ports, are shared with the attacker-controlled RDP server, enabling them unconditional access to sensitive information.

Trend Micro’s latest report reveals more details about this activity after identifying 193 RDP proxy servers that redirected connections to 34 attacker-controlled backend servers, allowing the attackers to monitor and intercept RDP sessions.

The hackers use a Python “man-in-the-middle” MitM red team tool called PyRDP to intercept all communication between the victim and the remote session, allowing the connection to appear legitimate.

The tool allows the attackers to log plaintext credentials or NTLM hashes, steal clipboard data, steal transferred files, steal data from shared drives in the background, and run console or PowerShell commands on new connections.

The researchers explain that this technique was first described by Mike Felch in 2022, who may have inspired APT29’s tactics.

“Upon establishing the connection, the rogue server mimics the behavior of a legitimate RDP server and exploits the session to carry out various malicious activities,” explains Trend Micro

“A primary attack vector involves the attacker deploying malicious scripts or altering system settings on the victim’s machine.”

“Additionally, the PyRDP proxy facilitates access to the victim’s file system, enabling the attacker to browse directories, read or modify files, and inject malicious payloads.

Overview of the RDP session interception
RDP session interception
Source: Trend Micro

Among the malicious configurations Trend Micro analyzed, there’s also one that serves the user with a misleading AWS Secure Storage Connection Stability Test connection request.

Deceptive connection request
Deceptive connection request
Source: Trend Micro

Regarding APT29’s evasion, the researchers report that the Russian hackers use a combination of commercial VPN products accepting cryptocurrency payments, TOR exit nodes, and residential proxy services to obscure the IP addresses of the rogue RDP servers.

Overview of infrastructure obfuscation
Overview of infrastructure obfuscation
Source: Trend Micro

Defending against rogue RDP configurations requires a good response to malicious emails, which, in this case, were sent from legitimate addresses compromised before the campaign’s launch.

Even more important, Windows users should only make RDP connections to known, trusted servers and never utilize RDP connections sent via email attachments.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
4:25 am, Jul 14, 2025
weather icon 19°C
L: 17° | H: 20°
overcast clouds
Humidity: 75 %
Pressure: 1011 mb
Wind: 7 mph SSW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:59 am
Sunset: 9:12 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
17° | 20°°C 0 mm 0% 18 mph 76 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
15° | 20°°C 1 mm 100% 15 mph 78 % 1016 mb 0 mm/h
Wed Jul 16 10:00 pm
weather icon
14° | 27°°C 0.2 mm 20% 14 mph 73 % 1017 mb 0 mm/h
Thu Jul 17 10:00 pm
weather icon
18° | 26°°C 1 mm 100% 8 mph 80 % 1017 mb 0 mm/h
Fri Jul 18 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 12 mph 79 % 1015 mb 0 mm/h
Today 7:00 am
weather icon
17° | 18°°C 0 mm 0% 9 mph 76 % 1011 mb 0 mm/h
Today 10:00 am
weather icon
20° | 20°°C 0 mm 0% 11 mph 59 % 1012 mb 0 mm/h
Today 1:00 pm
weather icon
23° | 23°°C 0 mm 0% 15 mph 39 % 1013 mb 0 mm/h
Today 4:00 pm
weather icon
25° | 25°°C 0 mm 0% 18 mph 28 % 1013 mb 0 mm/h
Today 7:00 pm
weather icon
22° | 22°°C 0 mm 0% 15 mph 30 % 1013 mb 0 mm/h
Today 10:00 pm
weather icon
19° | 19°°C 0 mm 0% 9 mph 45 % 1015 mb 0 mm/h
Tomorrow 1:00 am
weather icon
16° | 16°°C 0 mm 0% 8 mph 61 % 1016 mb 0 mm/h
Tomorrow 4:00 am
weather icon
15° | 15°°C 0 mm 0% 8 mph 72 % 1016 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€102,603.90
1.86%
Ethereum(ETH)
€2,573.88
1.82%
XRP(XRP)
€2.50
5.42%
Tether(USDT)
€0.86
0.00%
Solana(SOL)
€141.61
2.68%
USDC(USDC)
€0.86
0.00%
Dogecoin(DOGE)
€0.172872
2.06%
Shiba Inu(SHIB)
€0.000012
2.78%
Pepe(PEPE)
€0.000011
3.11%
Peanut the Squirrel(PNUT)
€0.244556
5.81%
Scroll to Top