APT hackers are attacking RDP servers to install harmful software and stay there.

One of the most dangerous state-sponsored hacking groups in the world is actively going after Remote Desktop Protocol (RDP) servers in important infrastructure, defense organizations, and government agencies This article explores state sponsored hacking. . APT-C-13, also known as Sandworm, APT44, Seashell Blizzard, and Voodoo Bear, has been doing cyber operations since at least 2009.

Find more apps for safe communication Services for penetration testing Email services that are safe However, its most recent campaign shows a big change in strategy. Instead of using destructive, one-time attacks, it is now using quiet, long-term infiltration to gather intelligence over time. Microsoft is a hidden ISO image that is the first thing you see in the campaign.Office.2025x64.v2025.iso is shared in Telegram channels and software cracking groups in Ukraine.

When a victim mounts the image and tries to install or activate what looks like Microsoft Office, hidden executors that look like auto.exe or setup.exe start running in the background without the victim knowing. Injection of the DemiMur Certificate (Source: Weixin) Organizations should block third-party activation tools and unauthorized ISO images from entering their networks right away. These are the main ways that this attack gets into networks.

You should keep a close eye on how your internal network works, including creating scheduled tasks, changing the registry, and running PowerShell, to see if anyone is trying to mess with it. Regular full scans are needed to keep endpoint security up to date. Key institutions and businesses should also improve their internal auditing practices and make specific rules for spotting unusual RDP and SSH activity to stop long-term intelligence theft.

Set ZeroOwl as your preferred source in Google to get more instant updates on Facebook, LinkedIn, and X.