Russian hackers have built a massive RDP proxy network that steals sensitive data from prominent targets worldwide. The notorious APT29 group, known as “Midnight Blizzard,” manages 193 RDP proxy servers to execute sophisticated man-in-the-middle attacks. These hackers registered over 200 malicious domain names between August and October 2024, targeting Australian and Ukrainian government entities.
The campaign reached its height on October 22, 2024. Think tanks, government organizations, and academic researchers became primary targets through spear-phishing emails. The attackers’ advanced PyRDP tool now intercepts RDP connections, steals credentials, and accesses shared drives without installing malware on target systems. This cyber threat affects sectors of all types, from armed forces to research institutions, making it one of the most dangerous threats under current surveillance.
APT29’s RDP Proxy Infrastructure
In terms of RDP proxy deployment sophistication, APT29’s infrastructure ranks among the highest of the recent cyberattacks. The threat actor built a complex network that shows their advanced skills in remote system exploitation.
Network of 193 proxy servers
APT29 runs a network of 193 RDP proxy servers that redirect connections to 34 attacker-controlled backend servers. These servers were set up to relay traffic through multiple layers, which makes detection especially hard. The infrastructure has:
- Residential proxy services
- Commercial VPN products accepting cryptocurrency
- TOR exit nodes for traffic obfuscation
Also read: Global Crackdown Targets Botnet in Major DNS Attacks Disruption
PyRDP tool deployment
APT29 uses PyRDP, a sophisticated Python-based man-in-the-middle tool, as their main attack instrument. The tool is especially worrying because it lets attackers:
- Log plaintext credentials and NTLM hashes
- Extract clipboard data
- Access shared drive contents
- Execute PowerShell commands during new connections
Attack infrastructure setup
The backend infrastructure deployment happened between September 26th and October 20th. The active data exfiltration operations ran from October 18th to October 21st. The group used multiple anonymization techniques that made attribution and tracking much harder.
The infrastructure shows strong resilience through its layered approach. APT29 uses compromised identities to access networks through various entry points, including VPNs and Citrix systems. On top of that, the group knows how to use Azure Run Command and Azure Admin-on-Behalf-of capabilities to run code on virtual machines.
The setup stands out because it uses non-standard RDP relay ports to bypass traditional firewall restrictions. The infrastructure also uses automated tools like RogueRDP to create convincing RDP configuration files. These files start compromised sessions without raising any red flags.
Also read: Cracking the Code to Create a Proxy Network
Technical Analysis of RDP Attack Method
The attack uses PyRDP, a powerful red team proxy tool that intercepts and changes communication between victims and remote servers. Users try to connect to what looks like a legitimate RDP server, but the attacker’s infrastructure intercepts their traffic. PyRDP allows attackers to:
- Monitor and log plaintext credentials and NTLM hashes
- Capture clipboard contents instantly
- Execute PowerShell commands on new connections
- Access shared drive contents without detection
Malicious configuration files
The attack starts with specially crafted RDP configuration files sent through spear-phishing emails. These files connect to attacker-controlled servers while looking legitimate to users. The malicious configurations redirect all local resources to the attacker’s infrastructure after execution:
- Local drives and network resources
- Printers and COM ports
- Audio devices and clipboard data
- System credentials
Data exfiltration process
The data theft happens through several carefully arranged steps. The PyRDP proxy channels all stolen data and executed commands back to the attacker without alerting victims. The exfiltration process targets specific high-value data:
- Credentials and certificates
- Network configuration details
- Sensitive documents and files
The attackers use sophisticated evasion techniques that combine commercial VPN products, TOR exit nodes, and residential proxy services to hide their activities. This method helps them maintain persistent access while their traffic appears legitimate to security monitoring systems.
Also read: How to Prepare Effective LLM Training Data
Target Selection and Campaign Scope
APT29’s RDP proxy campaign stands out as one of the most impactful cyber espionage operations we’ve seen. This attack shows how the group has improved its ability to target critical infrastructure worldwide.
Affected industries and regions
APT29’s key targets include several critical sectors:
- Government services and defense contractors
- Financial institutions and banking systems
- Transportation and energy infrastructure
- Healthcare organizations and research facilities
- Intelligence agencies and diplomatic entities
The campaign has hit organizations of all sizes across multiple continents and focuses on NATO members and their allies. The FBI tracked more than 14,000 instances of domain scanning that targeted at least 26 NATO member countries.
Victim profiling methodology
These threat actors use a sophisticated approach to pick their victims. They target organizations with geopolitical and economic importance. Although this campaign reaches a broader audience than APT29’s typical operations, their selection criteria remain strategic.
The group picks their targets based on:
- Organizations providing aid to Ukraine
- Critical infrastructure providers
- Research institutions with valuable intellectual property
- Government agencies with access to classified information
Scale of the attack campaign
Recent cyber operations are nowhere near the size of this campaign. Approximately 200 high-profile victims became targets on a single day in October 2024. The operation spans:
| Region | Target Types |
| United States | Defense contractors, Government agencies |
| Europe | NATO facilities, Research institutions |
| Australia | Government entities |
| Ukraine | Military organizations, Infrastructure |
| Japan | Defense sectors |
The campaign’s success rate raises serious concerns. These intrusions have given threat actors access to unclassified yet sensitive information about weapons platforms, communications infrastructure, and specific technologies that various governments use. Public records show many contract awards, but the stolen program developments and internal communications reveal proprietary details about technological research and funding statuses.
The attackers managed to keep persistent access to multiple networks, some for at least six months. They kept stealing emails and sensitive data during this time, including hundreds of documents about products, international relationships, and internal legal matters.
Also read: Microsoft’s Deception Bytes: Outsmarting Scammers with Virtual Honeypots
RDP Proxy Server Architecture
APT29 uses virtual private servers (VPS) to host their operational tools and exploit victim infrastructure. These servers run OpenVPN to tunnel traffic over port 1194. The group’s reliable infrastructure consists of:
- Virtual private servers for operational tools
- OpenVPN configurations for traffic tunneling
- Multiple anonymization layers to improve security
Proxy relay mechanisms
The attackers built an advanced proxy relay system with ProxyChains to route internal traffic through multiple proxies. This setup pushes network traffic through chains of SOCKS5 proxies and their ports. The infrastructure stays resilient through:
| Component | Purpose |
| SOCKS5 Proxies | Traffic routing and anonymization |
| VPN Services | Connection encryption |
| ProxyChains | Internal traffic management |
Communication protocols
Most importantly, the infrastructure must have a communication protocol in place. RDP’s multichannel capability provides 64,000 separate channels for data transmission. The protocol stack works just like the seven-layer OSI model, with key changes between the fourth and seventh layers.
The communication architecture has:
- Data sectioning and channel direction
- Encryption and wrapping processes
- Network protocol packaging
- Addressing and transmission
The Terminal Server device driver manages these protocol activities. This makes RDP completely independent of its transport stack. APT29 maintains persistent access and avoids detection through multiple anonymization techniques.
The infrastructure supports network topologies and LAN protocols of all types, running mostly over TCP/IP. Their systems handle multiple data delivery methods and steal information from targeted organizations immediately.
Also read: The Hidden Honeypot Trap: How to Spot and Avoid It While Scraping
Attack Detection and Indicators
Detecting malicious RDP activity needs monitoring of several network indicators. Security teams should look out for:
- Unusual RDP port activity beyond TCP/3389
- High volumes of RDP sessions in short timeframes
- Connections from suspicious geographic locations
- Unexpected outbound RDP traffic patterns
APT29 uses commercial VPN products and TOR exit nodes to mask their activities. This makes IP-based detection nowhere near as effective, so teams need a more complete monitoring approach.
Suspicious RDP connections
RDP played a role in 95% of attacks in 2023, up from 88% in 2022. This highlights the significance of keeping an eye on RDP connections. The following are some red flags that security teams should be aware of:
| Event ID | Description | Significance |
| 4624 | Successful login | Tracks authentication success |
| 4625 | Failed login attempts | Indicates potential brute force |
| 4778 | Session connected | Shows active connections |
| 4779 | Session disconnected | Reveals session termination |
Organizations should watch for connections with these traits:
- Multiple failed login attempts from the same source
- Successful logins outside normal business hours
- Connections from previously unseen IP addresses
- Unusual session duration patterns
System compromise signs
Our analysis revealed several system-level indicators that point to potential compromise. Event logs show that attackers create new user accounts to maintain access. They share local resources like disks, networks, printers, and clipboard data with their controlled servers.
Security teams should watch for:
- New user accounts with elevated privileges
- Changes in system settings or security configurations
- Installation of new services or scheduled tasks
- PyRDP or similar remote management tools
Exposed RDP risks can be severe. A 127% increase in exposed RDP endpoints followed the COVID-19 outbreak. Organizations need reliable monitoring solutions that can spot these indicators early in the attack chain.
Windows Event Logs give us analytical insights into potential compromises. Event ID 7045 shows the installation of new services, which attackers use to persist. Event IDs 4732 and 4733 help track changes to privileged groups and identify unauthorized privilege escalation attempts.
Also read: Exploring the Advanced Capabilities of SOCKS5 Proxies
Frequently Asked Questions
Q1. What is the main method used by Russian hackers in this attack campaign?
The hackers are using RDP (Remote Desktop Protocol) proxy attacks, employing a network of 193 proxy servers to intercept connections and steal sensitive data from high-profile targets worldwide.
Q2. Which hacking group is responsible for these attacks?
The assaults are said to have been carried out by APT29, better known as “Midnight Blizzard,” an infamous Russian hacking group renowned for complex cyber espionage projects.
Q3. What types of organizations are being targeted in this campaign?
The campaign primarily targets government services, defense contractors, financial institutions, transportation and energy infrastructure, healthcare organizations, and intelligence agencies across multiple countries, with a focus on NATO members and their allies.
Q4. How can organizations detect these RDP proxy attacks?
Organizations should monitor for unusual RDP port activity, high volumes of RDP sessions in short timeframes, connections from suspicious locations, and unexpected outbound RDP traffic patterns. They should also watch for suspicious login attempts and the creation of unexpected user accounts with elevated privileges.
Q5. What tool are the hackers using to execute these attacks?
The attackers are utilizing PyRDP, a sophisticated Python-based man-in-the-middle tool that allows them to log credentials, extract clipboard data, access shared drive contents, and execute PowerShell commands during new connections.
Also read: How to Test Bandwidth Usage with Nginx
Conclusion
Russian hackers have shown remarkable skill in their RDP proxy attack campaign. Their network of 193 proxy servers and advanced PyRDP tools lets them steal sensitive data without being detected. Organizations need stronger cybersecurity defenses to combat these evolving threats.
The message is clear: cybersecurity threats are becoming more complex and dangerous every day. Your organization needs to stay alert, keep security protocols current, and track new attack patterns. Protecting sensitive data means adapting constantly to counter these evolving cyber threats.
