FlagThis

Earth Koshchei, also known as APT29 and Midnight Blizzard, is leveraging red team tools and techniques to compromise RDP servers. The attack methodology involves a combination of an RDP relay, rogue RDP servers and malicious RDP configuration files, redirecting traffic through VPNs, TOR and residential proxies, making detection and mitigation difficult. This sophisticated campaign targets governments, armed forces, think tanks, academic researchers, and Ukrainian entities, leading to potential data leakage and malware installation. The APT group uses spear-phishing emails containing malicious RDP configuration files that redirect traffic to 193 RDP relays.