Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace operated by the actor tracked as Storm-2470 that sold cloned Windows Server 2022 RDP hosts and enabled mass phishing, BEC, account takeover, and large-scale financial fraud across multiple countries and sectors. Microsoft, in coordination with law enforcement, disrupted RedVDS infrastructure and published detections, IOCs, and mitigation guidance to reduce impact and harden defenses. #RedVDS #Storm-2470
Keypoints
- RedVDS operated a criminal marketplace offering inexpensive, unlicensed Windows RDP servers cloned from a single Windows Server 2022 image, enabling rapid provisioning and uniform fingerprints.
- All RedVDS instances shared the same computer name WIN-BUNS25TD77J and reused an Eval 2022 license/computer ID, creating detectable host-level artifacts.
- Multiple financially motivated actors (e.g., Storm-0259, Storm-2227, Storm-1575, Storm-1747) and phishing services (including RacoonO365 prior to its takedown) used RedVDS for mass phishing, BEC, account takeover, and fraud.
- RedVDS rented infrastructure from multiple hosting providers across the US, Canada, UK, France, Netherlands, and Germany and sold access for cryptocurrency, increasing anonymity and geolocation evasion.
- Investigators observed recurring toolkits on RedVDS hosts—mass mailers, email harvesters, VPNs/proxy tools, AnyDesk, Python scripts, and AI writing tools—supporting large-scale phishing and fraud campaigns.
- Microsoft coordinated a disruption with law enforcement, published detections for Microsoft Defender XDR and guidance for Exchange/M365 protections, MFA, user training, and phishing hardening to mitigate RedVDS-related threats.
MITRE Techniques
- [T1566 ] Phishing – Use of mass mailers and phishing kits hosted on RedVDS to conduct credential theft and large-scale phishing campaigns (‘facilitating thousands of attacks including credential theft, account takeovers, and mass phishing’)
- [T1110.003 ] Password Spraying – Actors used RedVDS infrastructure to conduct password spray attacks to gain initial access (‘Password spray: Microsoft observed actors conducting password spray attacks using RedVDS infrastructure’)
- [T1021.006 ] Remote Services (RDP) – Adversaries used unlicensed Windows-based RDP servers provisioned by RedVDS for remote access and campaign staging (‘purchasing unlicensed and inexpensive Windows-based Remote Desktop Protocol (RDP) servers’)
- [T1078 ] Valid Accounts – Threat actors performed account takeovers and used compromised mailboxes for BEC and lateral reconnaissance (‘Business email compromise/Account takeover: Microsoft observed RedVDS customers using the infrastructure to conduct BEC attacks that included account takeovers’)
- [T1583.001 ] Acquire Infrastructure: Domains – Operators registered and used homoglyph/lookalike domains to impersonate suppliers and host phishing pages (‘over 7,300 IP addresses linked to RedVDS infrastructure that collectively hosted more than 3,700 homoglyph domains within a 30-day period’)
- [T1219 ] Remote Access Tools – Installation and use of legitimate remote access tools like AnyDesk on RedVDS hosts to manage access and share control among operators (‘AnyDesk is a legitimate remote desktop tool, suggesting that criminals might have used it to sign in to and control their RedVDS boxes’)
Indicators of Compromise
- [Domain ] RedVDS service endpoints and panel – redvds[.]com, redvds[.]pro
- [URL ] RedVDS dashboard URL – hxxps://rd[.]redvds[.]com (RedVDS dashboard and admin panel)
- [Host name ] Cloned Windows host identifier used by RedVDS – WIN-BUNS25TD77J
- [IP addresses ] Infrastructure footprint – 7,300+ IP addresses linked to RedVDS infrastructure across multiple hosting providers (and thousands more IPs observed during the investigation)
- [Homoglyph domains ] Lookalike domains used for phishing and BEC – more than 3,700 homoglyph domains observed within a 30-day period (examples not exhaustively listed)
- [File/Attachment types ] Lures used in BEC and phishing – fake invoice PDF attachments and other malicious documents used to request fraudulent payments (‘The email included PDF attachments of the fake invoice, banking details to make the payment’)