Agrius tunnels RDP traffic through deployed web shells to access victim environments via compromised accounts.[3] Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.[4]
The APT1 group is known to have used RDP during operations.[5]
APT3 enables the Remote Desktop Protocol for persistence.[6] APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.[7]
APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.[8][9]
APT41 used RDP for lateral movement.[10][11] APT41 used NATBypass to expose local RDP ports on compromised systems to the Internet.[12]
APT5 has moved laterally throughout victim environments using RDP.[13]
Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments.[14]
Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.[16]
During C0015, the threat actors used RDP to access specific network hosts of interest.[17]
During C0018, the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892.[18]
During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation.[19]
Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.[20]
Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.[22]
Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.[23][24]
During Cutting Edge, threat actors used RDP with compromised credentials for lateral movement.[25]
DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.[26]
FIN10 has used RDP to move laterally to systems in the victim environment.[28]
FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement.[29]
FIN7 has used RDP to move laterally in victim environments.[32]
Fox Kitten has used RDP to log in and move laterally in the target environment.[34][35]
HEXANE has used remote desktop sessions for lateral movement.[36]
During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[37][38]
Imminent Monitor has a module for performing remote desktop access.[39]
INC Ransom has used RDP to move laterally.[40][41][42][43]
Indrik Spider has used RDP for lateral movement.[44]
Kimsuky has used RDP for direct remote point-and-click access.[46]
Koadic can enable remote desktop on the victim's machine.[47]
Lazarus Group malware SierraCharlie uses RDP for propagation.[48][49]
Leviathan has targeted RDP credentials and used it to move through the victim environment.[50]
Magic Hound has used Remote Desktop Services to copy tools on targeted systems.[51][52]
menuPass has used RDP connections to move across the victim network.[53][54]
njRAT has a module for performing remote desktop access.[55]
OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.[56][57][11]
Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.[59]
QuasarRAT has a module for performing remote desktop access.[61][62]
Revenge RAT has a plugin to perform RDP access.[63]
SDBbot has the ability to use RDP to connect to victim's machines.[64]
ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.[65]
During the SolarWinds Compromise, APT29 used RDP sessions from public-facing systems to internal servers.[67]
Volt Typhoon has moved laterally to the Domain Controller via RDP using a compromised account with domain administrator privileges.[68]
WarzoneRAT has the ability to control an infected PC using RDP.[69]
Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.[70][71][72][73]