Massive 100K-Node Botnet Unleashes Coordinated RDP Blitz Across US Networks

A massive botnet comprising more than 100,000 unique IP addresses has been observed launching a coordinated wave of attacks against Remote Desktop Protocol (RDP) services in the United States. Security telemetry shows the activity started in early October and has rapidly intensified, creating an elevated risk of unauthorized access and ransomware intrusions for poorly hardened RDP endpoints. (GreyNoise, BleepingComputer)

What happened — the short version

GreyNoise and multiple threat intelligence providers detected a distributed scanning and brute-force campaign that began being visible on October 8, 2025, and grew to include more than 100,000 distinct IP addresses spanning 100+ countries. Observed behavior resembles large-scale RDP scanning and authentication attempts aimed at discovering exposed RDP services in the U.S. and testing common credentials.

Scale and scope

The operation is notable for its volume and geographic diversity: source IPs appear across more than 100 countries (including Brazil, Argentina, Iran, China, Mexico, Russia and others). Analysts say the sheer number of distinct IPs indicates the campaign is leveraging a widely distributed botnet (and possibly multiple, coordinated scanning fleets) rather than a single, centralized scanner.

Why RDP is at risk

RDP is an attractive target for threat actors because compromised credentials or exposed RDP ports (typically TCP/3389) can give attackers full remote control of servers and endpoints — a fast path to lateral movement, data theft, or ransomware deployment. Historically, RDP exploitation is a leading initial access vector for high-impact intrusions. This campaign’s scale raises concern that opportunistic actors will quickly convert discovered access into active compromise.

Indicators & technical details

Public reporting and GreyNoise telemetry note the following technical patterns:

• Large-scale TCP scans targeting RDP ports followed by credential-guessing attempts.
• Source IP diversity consistent with a botnet built from compromised hosts, cloud instances, and misconfigured devices across many countries.
• Rapid spike in activity from some regions (e.g. Brazil) that then distributed scanning across many geographies.

Who’s affected

Any organization or administrator exposing RDP to the public internet without strong mitigations is at elevated risk. That includes legacy remote-management systems, remote support tools, Windows servers used for administration, and any endpoints that accept RDP connections. Small businesses and under-resourced IT teams are especially vulnerable because they often lack multi-factor authentication (MFA) or network-level access controls.

Immediate mitigation steps (practical, no-nonsense)

If you run RDP endpoints, apply these actions immediately:

1. Disable direct RDP on the public internet. Use VPNs or Zero Trust access proxies instead.
2. Enforce Multi-Factor Authentication (MFA) for all remote admin accounts; MFA blocks most credential-stuffing attempts.
3. Restrict RDP access with network rules — allow only specific trusted IPs or use identity-aware proxies. Limit connection attempts with firewall rate-limiting and connection throttles.
4. Deploy strong password policies and rotate privileged credentials; block common passwords and test for weak credentials via internal scans.
5. Enable and monitor Windows Event logs for failed logons and unusual account activity; integrate alerts into your SIEM. Consider geo-blocking or sinkholing high-volume abusive sources if feasible.
6. Patch and harden RDP host OS and remote access services; remove unused accounts and RDP roles.

Quick firewall rule example (PowerShell):
New-NetFirewallRule -DisplayName "Limit-RDP" -Direction Inbound -LocalPort 3389 -Protocol TCP -RemoteAddress x.x.x.x -Action Allow

What analysts are saying

GreyNoise, which first flagged the unusual spike in scanning activity, warns that the campaign’s size and distribution make opportunistic compromise likely if defenders do not act quickly. Multiple security outlets have corroborated GreyNoise’s telemetry and emphasized that the campaign has been active since early October.

Longer-term risk and strategy

This event underscores a persistent truth: any remote-access service exposed without layered controls remains a high-probability breach vector. Organizations should accelerate migration away from exposed RDP toward modern access architectures (MFA + VPN/ZTNA + least privilege), enforce continuous monitoring, and include RDP attack scenarios in tabletop exercises and incident response plans.

Stay informed

We will continue to monitor GreyNoise and other threat-intel providers for updated IoCs and attack patterns. Administrators who observe suspicious RDP activity should collect logs (Windows event logs, firewall logs, EDR telemetry) and share relevant non-sensitive indicators with trusted intelligence communities and vendors.