Intel Name: Hide your rdp: password spray leads to ransomhub deployment
Date of Scan: July 1, 2025
Impact: High
Summary:
The intrusion started in November 2024 with a password spray attack against an exposed RDP server. The attacker attempted multiple logins over several hours using accounts and IPs flagged in OSINT sources. Eventually, they gained RDP access with a compromised account and executed discovery commands to enumerate users and systems. Tools like Mimikatz and Nirsoft CredentialsFileView were then used to extract credentials and access LSASS memory.
More Details
