This post is also available in:
עברית (Hebrew)
A sophisticated phishing attack targeting European government and military networks is gaining attention for its innovative use of Remote Desktop Protocol (RDP) features to silently compromise systems. Attributed to a Russian-aligned cyber actor group, the campaign is a prime example of the growing threat posed by advanced persistent threats (APTs).
The attack, identified by Google’s Threat Intelligence Group (GTIG) as UNC5837, exploits two lesser-known RDP features: resource redirection and RemoteApps. While RDP is often used for legitimate remote connections, this campaign bypasses typical RDP takeover techniques. Instead of visibly hijacking screens, the attackers quietly access the victim’s data through these advanced features.
RDP’s resource redirection allows attackers to map files from the compromised system directly to their own servers. RemoteApps lets them run an attacker-controlled application that appears as a normal program on the victim’s screen, concealing the malicious activity. This method provides the attackers with unfettered access to sensitive files, clipboard data (which may contain passwords or other credentials), and even live inputs from the victim’s system.
The phishing element of the attack is equally insidious. Victims receive emails that appear to be from a legitimate collaboration between Amazon, Microsoft, and the Ukrainian government. These emails contain a seemingly benign attachment labeled “AWS Secure Storage Connection Stability Test.” The attachment, however, is an .rdp file signed with a valid Let’s Encrypt certificate, which causes the victim’s system to launch an outbound RDP session to a remote server controlled by the attackers.
Once the .rdp file is opened, the attackers are granted direct access to the victim’s system without triggering firewall alerts. This allows them to silently monitor activities, steal sensitive information, and even control system peripherals like printers and audio devices.
According to Google, this campaign is part of a broader trend used by the Russian cyber groups targeting organizations across critical sectors. According to reports, RDP-based intrusions are increasingly being linked to ransomware attacks and other malicious activities. Experts warn that organizations must implement stronger security measures to guard against these stealthy, highly effective cyberattacks.
