{"id":7321,"date":"2025-01-18T11:22:12","date_gmt":"2025-01-18T11:22:12","guid":{"rendered":"https:\/\/kocerroxy.com\/?p=7321"},"modified":"2025-01-27T09:18:06","modified_gmt":"2025-01-27T09:18:06","slug":"hackers-launch-rdp-proxy-attacks-to-steal-corporate-data","status":"publish","type":"post","link":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/","title":{"rendered":"Hackers Launch RDP Proxy Attacks to Steal Corporate Data"},"content":{"rendered":"\n<p>Russian hackers have built a massive RDP proxy network that steals sensitive data from prominent targets worldwide. The notorious APT29 group, known as &#8220;Midnight Blizzard,&#8221; manages <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/earth-koshchei.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>193 RDP proxy servers<\/strong><\/a> to execute sophisticated man-in-the-middle attacks. These hackers registered over 200 malicious domain names between August and October 2024, targeting Australian and Ukrainian government entities.<\/p>\n\n\n\n<p>The campaign reached its height on October 22, 2024. Think tanks, government organizations, and academic researchers became primary targets through spear-phishing emails. The attackers&#8217; advanced <a href=\"https:\/\/github.com\/GoSecure\/pyrdp\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>PyRDP tool<\/strong><\/a> now intercepts RDP connections, steals credentials, and accesses shared drives without installing malware on target systems. This cyber threat affects sectors of all types, from armed forces to research institutions, making it one of the most dangerous threats under current surveillance.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"APT29s_RDP_Proxy_Infrastructure\"><\/span><strong>APT29&#8217;s RDP Proxy Infrastructure<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#APT29s_RDP_Proxy_Infrastructure\" >APT29&#8217;s RDP Proxy Infrastructure<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Network_of_193_proxy_servers\" >Network of 193 proxy servers<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#PyRDP_tool_deployment\" >PyRDP tool deployment<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Attack_infrastructure_setup\" >Attack infrastructure setup<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Technical_Analysis_of_RDP_Attack_Method\" >Technical Analysis of RDP Attack Method<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Malicious_configuration_files\" >Malicious configuration files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Data_exfiltration_process\" >Data exfiltration process<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Target_Selection_and_Campaign_Scope\" >Target Selection and Campaign Scope<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Affected_industries_and_regions\" >Affected industries and regions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Victim_profiling_methodology\" >Victim profiling methodology<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Scale_of_the_attack_campaign\" >Scale of the attack campaign<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#RDP_Proxy_Server_Architecture\" >RDP Proxy Server Architecture<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Proxy_relay_mechanisms\" >Proxy relay mechanisms<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Communication_protocols\" >Communication protocols<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Attack_Detection_and_Indicators\" >Attack Detection and Indicators<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Suspicious_RDP_connections\" >Suspicious RDP connections<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#System_compromise_signs\" >System compromise signs<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Frequently_Asked_Questions\" >Frequently Asked Questions<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Q1_What_is_the_main_method_used_by_Russian_hackers_in_this_attack_campaign\" >Q1. What is the main method used by Russian hackers in this attack campaign?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Q2_Which_hacking_group_is_responsible_for_these_attacks\" >Q2. Which hacking group is responsible for these attacks?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Q3_What_types_of_organizations_are_being_targeted_in_this_campaign\" >Q3. What types of organizations are being targeted in this campaign?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Q4_How_can_organizations_detect_these_RDP_proxy_attacks\" >Q4. How can organizations detect these RDP proxy attacks?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Q5_What_tool_are_the_hackers_using_to_execute_these_attacks\" >Q5. What tool are the hackers using to execute these attacks?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<p>In terms of RDP proxy deployment sophistication, APT29&#8217;s infrastructure ranks among the highest of the recent cyberattacks. The threat actor built a complex network that shows their advanced skills in remote system exploitation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Network_of_193_proxy_servers\"><\/span><strong>Network of 193 proxy servers<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>APT29 runs a network of 193 RDP proxy servers that redirect connections to 34 attacker-controlled backend servers. These servers were set up to relay traffic through multiple layers, which makes detection especially hard. The infrastructure has:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Residential proxy services<\/li>\n\n\n\n<li>Commercial VPN products accepting cryptocurrency<\/li>\n\n\n\n<li>TOR exit nodes for traffic obfuscation<\/li>\n<\/ul>\n\n\n\n<p class=\"has-text-align-center\">Also read: <a href=\"https:\/\/kocerroxy.com\/blog\/global-crackdown-targets-botnet-in-major-dns-attacks-disruption\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Global Crackdown Targets Botnet in Major DNS Attacks Disruption<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"PyRDP_tool_deployment\"><\/span>PyRDP tool deployment<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>APT29 uses PyRDP, a sophisticated Python-based man-in-the-middle tool, as their main attack instrument. The tool is especially worrying because it lets attackers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log plaintext credentials and NTLM hashes<\/li>\n\n\n\n<li>Extract clipboard data<\/li>\n\n\n\n<li>Access shared drive contents<\/li>\n\n\n\n<li>Execute PowerShell commands during new connections<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Attack_infrastructure_setup\"><\/span><strong>Attack infrastructure setup<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The backend infrastructure deployment happened between September 26th and October 20th. The active data exfiltration operations ran from October 18th to October 21st. The group used multiple anonymization techniques that made attribution and tracking much harder.<\/p>\n\n\n\n<p>The infrastructure shows strong resilience through its layered approach. APT29 uses compromised identities to access networks through various entry points, including VPNs and Citrix systems. On top of that, the group knows how to use Azure Run Command and Azure Admin-on-Behalf-of capabilities to run code on virtual machines.<\/p>\n\n\n\n<p>The setup stands out because it uses non-standard RDP relay ports to bypass traditional firewall restrictions. The infrastructure also uses automated tools like <a href=\"https:\/\/www.blackhillsinfosec.com\/rogue-rdp-revisiting-initial-access-methods\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>RogueRDP<\/strong><\/a> to create convincing RDP configuration files. These files start compromised sessions without raising any red flags.<\/p>\n\n\n\n<p class=\"has-text-align-center\">Also read: <a href=\"https:\/\/kocerroxy.com\/blog\/cracking-the-code-to-create-a-proxy-network\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Cracking the Code to Create a Proxy Network<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Technical_Analysis_of_RDP_Attack_Method\"><\/span><strong>Technical Analysis of RDP Attack Method<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The attack uses PyRDP, a powerful red team proxy tool that intercepts and changes communication between victims and remote servers. Users try to connect to what looks like a legitimate RDP server, but the attacker&#8217;s infrastructure intercepts their traffic. PyRDP allows attackers to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor and log plaintext credentials and NTLM hashes<\/li>\n\n\n\n<li>Capture clipboard contents instantly<\/li>\n\n\n\n<li>Execute PowerShell commands on new connections<\/li>\n\n\n\n<li>Access shared drive contents without detection<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Malicious_configuration_files\"><\/span><strong>Malicious configuration files<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The attack starts with <strong>specially crafted RDP configuration files<\/strong> sent through spear-phishing emails. These files connect to attacker-controlled servers while looking legitimate to users. The malicious configurations redirect all local resources to the attacker&#8217;s infrastructure after execution:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Local drives and network resources<\/li>\n\n\n\n<li>Printers and COM ports<\/li>\n\n\n\n<li>Audio devices and clipboard data<\/li>\n\n\n\n<li>System credentials<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Data_exfiltration_process\"><\/span><strong>Data exfiltration process<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The data theft happens through several carefully arranged steps. The PyRDP proxy channels all stolen data and executed commands back to the attacker without alerting victims. The exfiltration process targets specific high-value data:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Credentials and certificates<\/li>\n\n\n\n<li>Network configuration details<\/li>\n\n\n\n<li>Sensitive documents and files<\/li>\n<\/ol>\n\n\n\n<p>The attackers use sophisticated evasion techniques that combine commercial VPN products, TOR exit nodes, and residential proxy services to hide their activities. This method helps them maintain persistent access while their traffic appears legitimate to security monitoring systems.<\/p>\n\n\n\n<p class=\"has-text-align-center\">Also read: <a href=\"https:\/\/kocerroxy.com\/blog\/how-to-prepare-effective-llm-training-data\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>How to Prepare Effective LLM Training Data<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Target_Selection_and_Campaign_Scope\"><\/span><strong>Target Selection and Campaign Scope<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>APT29&#8217;s RDP proxy campaign stands out as one of the most impactful cyber espionage operations we&#8217;ve seen. This attack shows how the group has improved its ability to target critical infrastructure worldwide.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Affected_industries_and_regions\"><\/span><strong>Affected industries and regions<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><a href=\"https:\/\/aws.amazon.com\/blogs\/security\/amazon-identified-internet-domains-abused-by-apt29\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>APT29&#8217;s key targets<\/strong><\/a> include several critical sectors:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Government services and defense contractors<\/li>\n\n\n\n<li>Financial institutions and banking systems<\/li>\n\n\n\n<li>Transportation and energy infrastructure<\/li>\n\n\n\n<li>Healthcare organizations and research facilities<\/li>\n\n\n\n<li>Intelligence agencies and diplomatic entities<\/li>\n<\/ul>\n\n\n\n<p>The campaign has hit organizations of all sizes across multiple continents and focuses on NATO members and their allies. The FBI tracked <strong>more than 14,000 instances of domain scanning<\/strong> that targeted at least 26 NATO member countries.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Victim_profiling_methodology\"><\/span><strong>Victim profiling methodology<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>These threat actors use a sophisticated approach to pick their victims. They target organizations with geopolitical and economic importance. Although this campaign reaches a broader audience than APT29&#8217;s typical operations, their selection criteria remain strategic.<\/p>\n\n\n\n<p>The group picks their targets based on:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Organizations providing aid to Ukraine<\/li>\n\n\n\n<li>Critical infrastructure providers<\/li>\n\n\n\n<li>Research institutions with valuable intellectual property<\/li>\n\n\n\n<li>Government agencies with access to classified information<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Scale_of_the_attack_campaign\"><\/span><strong>Scale of the attack campaign<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Recent cyber operations are nowhere near the size of this campaign. Approximately 200 high-profile victims became targets on a single day in October 2024. The operation spans:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Region<\/strong><\/td><td><strong>Target Types<\/strong><\/td><\/tr><tr><td>United States<\/td><td>Defense contractors, Government agencies<\/td><\/tr><tr><td>Europe<\/td><td>NATO facilities, Research institutions<\/td><\/tr><tr><td>Australia<\/td><td>Government entities<\/td><\/tr><tr><td>Ukraine<\/td><td>Military organizations, Infrastructure<\/td><\/tr><tr><td>Japan<\/td><td>Defense sectors<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Attacked regions and target types<\/figcaption><\/figure>\n\n\n\n<p>The campaign&#8217;s success rate raises serious concerns. These intrusions have given threat actors access to unclassified yet sensitive information about weapons platforms, communications infrastructure, and specific technologies that various governments use. Public records show many contract awards, but the stolen program developments and internal communications reveal proprietary details about technological research and funding statuses.<\/p>\n\n\n\n<p>The attackers managed to keep persistent access to multiple networks, some for at least six months. They kept stealing emails and sensitive data during this time, including hundreds of documents about products, international relationships, and internal legal matters.<\/p>\n\n\n\n<p class=\"has-text-align-center\">Also read: <a href=\"https:\/\/kocerroxy.com\/blog\/microsofts-deception-bytes-outsmarting-scammers-with-virtual-honeypots\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Microsoft\u2019s Deception Bytes: Outsmarting Scammers with Virtual Honeypots<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"RDP_Proxy_Server_Architecture\"><\/span><strong>RDP Proxy Server Architecture<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>APT29 uses virtual private servers (VPS) to host their operational tools and exploit victim infrastructure. These servers run OpenVPN to tunnel traffic over port 1194. The group&#8217;s reliable infrastructure consists of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Virtual private servers for operational tools<\/li>\n\n\n\n<li>OpenVPN configurations for traffic tunneling<\/li>\n\n\n\n<li>Multiple anonymization layers to improve security<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Proxy_relay_mechanisms\"><\/span><strong>Proxy relay mechanisms<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The attackers built an advanced proxy relay system with ProxyChains to route internal traffic through multiple proxies. This setup pushes network traffic through chains of SOCKS5 proxies and their ports. The infrastructure stays resilient through:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Component<\/strong><\/td><td><strong>Purpose<\/strong><\/td><\/tr><tr><td>SOCKS5 Proxies<\/td><td>Traffic routing and anonymization<\/td><\/tr><tr><td>VPN Services<\/td><td>Connection encryption<\/td><\/tr><tr><td>ProxyChains<\/td><td>Internal traffic management<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Proxy relay components and purposes<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Communication_protocols\"><\/span><strong>Communication protocols<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Most importantly, the infrastructure must have a communication protocol in place. RDP&#8217;s multichannel capability provides <a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-server\/remote\/understanding-remote-desktop-protocol\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>64,000 separate channels<\/strong><\/a> for data transmission. The protocol stack works just like the seven-layer OSI model, with key changes between the fourth and seventh layers.<\/p>\n\n\n\n<p>The communication architecture has:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Data sectioning and channel direction<\/li>\n\n\n\n<li>Encryption and wrapping processes<\/li>\n\n\n\n<li>Network protocol packaging<\/li>\n\n\n\n<li>Addressing and transmission<\/li>\n<\/ol>\n\n\n\n<p>The Terminal Server device driver manages these protocol activities. This makes RDP completely independent of its transport stack. APT29 maintains persistent access and avoids detection through multiple anonymization techniques.<\/p>\n\n\n\n<p>The infrastructure supports network topologies and LAN protocols of all types, running mostly over TCP\/IP. Their systems handle multiple data delivery methods and steal information from targeted organizations immediately.<\/p>\n\n\n\n<p class=\"has-text-align-center\">Also read: <a href=\"https:\/\/kocerroxy.com\/blog\/the-hidden-honeypot-trap-how-to-spot-and-avoid-it-while-scraping\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>The Hidden Honeypot Trap: How to Spot and Avoid It While Scraping<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Attack_Detection_and_Indicators\"><\/span><strong>Attack Detection and Indicators<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Detecting malicious RDP activity needs monitoring of several network indicators. Security teams should look out for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unusual RDP port activity beyond TCP\/3389<\/li>\n\n\n\n<li>High volumes of RDP sessions in short timeframes<\/li>\n\n\n\n<li>Connections from suspicious geographic locations<\/li>\n\n\n\n<li>Unexpected outbound RDP traffic patterns<\/li>\n<\/ul>\n\n\n\n<p>APT29 uses commercial VPN products and TOR exit nodes to mask their activities. This makes IP-based detection nowhere near as effective, so teams need a more complete monitoring approach.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Suspicious_RDP_connections\"><\/span><strong>Suspicious RDP connections<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/23\/active-adversary-for-tech-leaders\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>RDP played a role in 95% of attacks in 2023<\/strong><\/a>, up from 88% in 2022. This underscores the importance of closely monitoring RDP connections. The following are some red flags that security teams should be aware of:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Event ID<\/strong><\/td><td><strong>Description<\/strong><\/td><td><strong>Significance<\/strong><\/td><\/tr><tr><td>4624<\/td><td>Successful login<\/td><td>Tracks authentication success<\/td><\/tr><tr><td>4625<\/td><td>Failed login attempts<\/td><td>Indicates potential brute force<\/td><\/tr><tr><td>4778<\/td><td>Session connected<\/td><td>Shows active connections<\/td><\/tr><tr><td>4779<\/td><td>Session disconnected<\/td><td>Reveals session termination<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Event IDs and significance<\/figcaption><\/figure>\n\n\n\n<p>Organizations should watch for connections with these traits:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Multiple failed login attempts from the same source<\/li>\n\n\n\n<li>Successful logins outside normal business hours<\/li>\n\n\n\n<li>Connections from previously unseen IP addresses<\/li>\n\n\n\n<li>Unusual session duration patterns<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"System_compromise_signs\"><\/span><strong>System compromise signs<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Our analysis revealed several system-level indicators that point to potential compromise. Event logs show that attackers create new user accounts to maintain access. They share local resources like disks, networks, printers, and clipboard data with their controlled servers.<\/p>\n\n\n\n<p>Security teams should watch for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>New user accounts with elevated privileges<\/li>\n\n\n\n<li>Changes in system settings or security configurations<\/li>\n\n\n\n<li>Installation of new services or scheduled tasks<\/li>\n\n\n\n<li>PyRDP or similar remote management tools<\/li>\n<\/ul>\n\n\n\n<p>Exposed RDP risks can be severe. A <strong>127% increase in exposed RDP endpoints<\/strong> followed the COVID-19 outbreak. Organizations need reliable monitoring solutions that can spot these indicators early in the attack chain.<\/p>\n\n\n\n<p>Windows Event Logs give us analytical insights into potential compromises. Event ID 7045 shows the installation of new services, which attackers use to persist. Event IDs 4732 and 4733 help track changes to privileged groups and identify unauthorized privilege escalation attempts.<\/p>\n\n\n\n<p class=\"has-text-align-center\">Also read: <a href=\"https:\/\/kocerroxy.com\/blog\/exploring-the-advanced-capabilities-of-socks5-proxies\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Exploring the Advanced Capabilities of SOCKS5 Proxies<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Frequently_Asked_Questions\"><\/span><strong>Frequently Asked Questions<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Q1_What_is_the_main_method_used_by_Russian_hackers_in_this_attack_campaign\"><\/span>Q1. What is the main method used by Russian hackers in this attack campaign?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The hackers are using RDP (Remote Desktop Protocol) proxy attacks, employing a network of 193 proxy servers to intercept connections and steal sensitive data from high-profile targets worldwide.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Q2_Which_hacking_group_is_responsible_for_these_attacks\"><\/span>Q2. Which hacking group is responsible for these attacks?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The assaults are said to have been carried out by APT29, better known as &#8220;Midnight Blizzard,&#8221; an infamous Russian hacking group renowned for complex cyber espionage projects.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Q3_What_types_of_organizations_are_being_targeted_in_this_campaign\"><\/span>Q3. What types of organizations are being targeted in this campaign?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The campaign primarily targets government services, defense contractors, financial institutions, transportation and energy infrastructure, healthcare organizations, and intelligence agencies across multiple countries, with a focus on NATO members and their allies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Q4_How_can_organizations_detect_these_RDP_proxy_attacks\"><\/span>Q4. How can organizations detect these RDP proxy attacks?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Organizations should monitor for unusual RDP port activity, high volumes of RDP sessions in short timeframes, connections from suspicious locations, and unexpected outbound RDP traffic patterns. They should also watch for suspicious login attempts and the creation of unexpected user accounts with elevated privileges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Q5_What_tool_are_the_hackers_using_to_execute_these_attacks\"><\/span>Q5. What tool are the hackers using to execute these attacks?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The attackers are utilizing PyRDP, a sophisticated Python-based man-in-the-middle tool that allows them to log credentials, extract clipboard data, access shared drive contents, and execute PowerShell commands during new connections.<\/p>\n\n\n\n<p class=\"has-text-align-center\">Also read: <a href=\"https:\/\/kocerroxy.com\/blog\/how-to-test-bandwidth-usage-with-nginx\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>How to Test Bandwidth Usage with Nginx<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Russian hackers have shown remarkable skill in their RDP proxy attack campaign. Their network of 193 proxy servers and advanced PyRDP tools lets them steal sensitive data without being detected. Organizations need stronger cybersecurity defenses to combat these evolving threats.<\/p>\n\n\n\n<p>The message is clear: cybersecurity threats are becoming more complex and dangerous every day. Your organization needs to stay alert, keep security protocols current, and track new attack patterns. Protecting sensitive data means adapting constantly to counter these evolving cyber threats.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Massive RDP proxy attack by APT29 targets government entities globally. Find out how PyRDP tools are compromising sensitive data.<\/p>\n","protected":false},"author":3,"featured_media":7322,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[166],"tags":[181,167],"class_list":["post-7321","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-cybersecurity","tag-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Hackers Launch RDP Proxy Attacks to Steal Corporate Data - KocerRoxy<\/title>\n<meta name=\"description\" content=\"Massive RDP proxy attack by APT29 targets government entities globally. Find out how PyRDP tools are compromising sensitive data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hackers Launch RDP Proxy Attacks to Steal Corporate Data - KocerRoxy\" \/>\n<meta property=\"og:description\" content=\"Massive RDP proxy attack by APT29 targets government entities globally. Find out how PyRDP tools are compromising sensitive data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/\" \/>\n<meta property=\"og:site_name\" content=\"KocerRoxy\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/TheHelenBold\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-18T11:22:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-27T09:18:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"610\" \/>\n\t<meta property=\"og:image:height\" content=\"286\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Helen Bold\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TheHelenBold\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Helen Bold\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/\"},\"author\":{\"name\":\"Helen Bold\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/#\/schema\/person\/c9c9120b90dac4268b7012486a55074c\"},\"headline\":\"Hackers Launch RDP Proxy Attacks to Steal Corporate Data\",\"datePublished\":\"2025-01-18T11:22:12+00:00\",\"dateModified\":\"2025-01-27T09:18:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/\"},\"wordCount\":1845,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp\",\"keywords\":[\"cybersecurity\",\"news\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/\",\"url\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/\",\"name\":\"Hackers Launch RDP Proxy Attacks to Steal Corporate Data - KocerRoxy\",\"isPartOf\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp\",\"datePublished\":\"2025-01-18T11:22:12+00:00\",\"dateModified\":\"2025-01-27T09:18:06+00:00\",\"description\":\"Massive RDP proxy attack by APT29 targets government entities globally. Find out how PyRDP tools are compromising sensitive data.\",\"breadcrumb\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage\",\"url\":\"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp\",\"contentUrl\":\"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp\",\"width\":610,\"height\":286,\"caption\":\"RDP Proxy\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/kocerroxy.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hackers Launch RDP Proxy Attacks to Steal Corporate Data\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/#website\",\"url\":\"https:\/\/kocerroxy.com\/blog\/\",\"name\":\"Kocerroxy\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kocerroxy.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/#organization\",\"name\":\"Kocerroxy\",\"url\":\"https:\/\/kocerroxy.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kocerroxy.com\/wp-content\/uploads\/2023\/07\/Favicon.png\",\"contentUrl\":\"https:\/\/kocerroxy.com\/wp-content\/uploads\/2023\/07\/Favicon.png\",\"width\":512,\"height\":512,\"caption\":\"Kocerroxy\"},\"image\":{\"@id\":\"https:\/\/kocerroxy.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/#\/schema\/person\/c9c9120b90dac4268b7012486a55074c\",\"name\":\"Helen Bold\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kocerroxy.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7624887d3556e306a0883ab27fba8ad89c7f315532399aacf4e5cd49014bc658?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7624887d3556e306a0883ab27fba8ad89c7f315532399aacf4e5cd49014bc658?s=96&d=mm&r=g\",\"caption\":\"Helen Bold\"},\"description\":\"Helen Bold has been writing about proxies since 2020. Helen specializes in gathering details, checking facts, and bringing value to our readers. In addition to writing articles, Helen does in-depth research and analyzes proxy industry trends. In her free time, she also writes amazing novels. You can read more about her personal work here: helenbold.com\",\"sameAs\":[\"http:\/\/helenbold.com\",\"https:\/\/www.facebook.com\/TheHelenBold\",\"https:\/\/www.instagram.com\/helenboldwriter\/\",\"https:\/\/x.com\/TheHelenBold\"],\"url\":\"https:\/\/kocerroxy.com\/blog\/author\/helen-b\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hackers Launch RDP Proxy Attacks to Steal Corporate Data - KocerRoxy","description":"Massive RDP proxy attack by APT29 targets government entities globally. Find out how PyRDP tools are compromising sensitive data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/","og_locale":"en_US","og_type":"article","og_title":"Hackers Launch RDP Proxy Attacks to Steal Corporate Data - KocerRoxy","og_description":"Massive RDP proxy attack by APT29 targets government entities globally. Find out how PyRDP tools are compromising sensitive data.","og_url":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/","og_site_name":"KocerRoxy","article_author":"https:\/\/www.facebook.com\/TheHelenBold","article_published_time":"2025-01-18T11:22:12+00:00","article_modified_time":"2025-01-27T09:18:06+00:00","og_image":[{"width":610,"height":286,"url":"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp","type":"image\/webp"}],"author":"Helen Bold","twitter_card":"summary_large_image","twitter_creator":"@TheHelenBold","twitter_misc":{"Written by":"Helen Bold","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#article","isPartOf":{"@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/"},"author":{"name":"Helen Bold","@id":"https:\/\/kocerroxy.com\/blog\/#\/schema\/person\/c9c9120b90dac4268b7012486a55074c"},"headline":"Hackers Launch RDP Proxy Attacks to Steal Corporate Data","datePublished":"2025-01-18T11:22:12+00:00","dateModified":"2025-01-27T09:18:06+00:00","mainEntityOfPage":{"@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/"},"wordCount":1845,"commentCount":0,"publisher":{"@id":"https:\/\/kocerroxy.com\/blog\/#organization"},"image":{"@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage"},"thumbnailUrl":"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp","keywords":["cybersecurity","news"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/","url":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/","name":"Hackers Launch RDP Proxy Attacks to Steal Corporate Data - KocerRoxy","isPartOf":{"@id":"https:\/\/kocerroxy.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage"},"image":{"@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage"},"thumbnailUrl":"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp","datePublished":"2025-01-18T11:22:12+00:00","dateModified":"2025-01-27T09:18:06+00:00","description":"Massive RDP proxy attack by APT29 targets government entities globally. Find out how PyRDP tools are compromising sensitive data.","breadcrumb":{"@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#primaryimage","url":"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp","contentUrl":"https:\/\/kocerroxy.com\/blog\/wp-content\/uploads\/2025\/01\/Untitled-19.webp","width":610,"height":286,"caption":"RDP Proxy"},{"@type":"BreadcrumbList","@id":"https:\/\/kocerroxy.com\/blog\/hackers-launch-rdp-proxy-attacks-to-steal-corporate-data\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/kocerroxy.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Hackers Launch RDP Proxy Attacks to Steal Corporate Data"}]},{"@type":"WebSite","@id":"https:\/\/kocerroxy.com\/blog\/#website","url":"https:\/\/kocerroxy.com\/blog\/","name":"Kocerroxy","description":"","publisher":{"@id":"https:\/\/kocerroxy.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kocerroxy.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kocerroxy.com\/blog\/#organization","name":"Kocerroxy","url":"https:\/\/kocerroxy.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kocerroxy.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/kocerroxy.com\/wp-content\/uploads\/2023\/07\/Favicon.png","contentUrl":"https:\/\/kocerroxy.com\/wp-content\/uploads\/2023\/07\/Favicon.png","width":512,"height":512,"caption":"Kocerroxy"},"image":{"@id":"https:\/\/kocerroxy.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/kocerroxy.com\/blog\/#\/schema\/person\/c9c9120b90dac4268b7012486a55074c","name":"Helen Bold","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kocerroxy.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7624887d3556e306a0883ab27fba8ad89c7f315532399aacf4e5cd49014bc658?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7624887d3556e306a0883ab27fba8ad89c7f315532399aacf4e5cd49014bc658?s=96&d=mm&r=g","caption":"Helen Bold"},"description":"Helen Bold has been writing about proxies since 2020. Helen specializes in gathering details, checking facts, and bringing value to our readers. In addition to writing articles, Helen does in-depth research and analyzes proxy industry trends. In her free time, she also writes amazing novels. You can read more about her personal work here: helenbold.com","sameAs":["http:\/\/helenbold.com","https:\/\/www.facebook.com\/TheHelenBold","https:\/\/www.instagram.com\/helenboldwriter\/","https:\/\/x.com\/TheHelenBold"],"url":"https:\/\/kocerroxy.com\/blog\/author\/helen-b\/"}]}},"_links":{"self":[{"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/posts\/7321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/comments?post=7321"}],"version-history":[{"count":2,"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/posts\/7321\/revisions"}],"predecessor-version":[{"id":7406,"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/posts\/7321\/revisions\/7406"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/media\/7322"}],"wp:attachment":[{"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/media?parent=7321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/categories?post=7321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kocerroxy.com\/blog\/wp-json\/wp\/v2\/tags?post=7321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}