Midnight Blizzard Uses RDP Proxies for MiTM Attacks and Data Theft

Researchers have discovered that the Russian-speaking hacker group APT29 (also known as Midnight Blizzard and Earth Koshchei) is using a network of 193 RDP proxies to carry out man-in-the-middle (MiTM) attacks aimed at stealing information, credentials, and deploying malware.

According to Trend Micro, the group leverages the red team proxy tool PyRDP in their MiTM attacks. With this tool, the hackers scan victims’ file systems, steal data in the background, and remotely execute malicious applications in compromised environments.

Targets and Attack Methods

The campaign targeted government and military organizations, diplomatic entities, cloud and IT service providers, telecommunications companies, and cybersecurity firms. Domain names registered for the campaign indicate that APT29’s targets this time included organizations in the United States, France, Australia, Ukraine, Portugal, Germany, Israel, France, Greece, Turkey, and the Netherlands.

Back in October 2024, Amazon experts warned that APT29 was tricking victims into launching files attached to phishing emails and connecting to malicious RDP servers. Once such a connection is established, all local resources (including disks, networks, printers, audio devices, and more) become shared and accessible to the attackers’ RDP server, allowing hackers full access to confidential information.

Technical Details

Trend Micro reports that 193 RDP proxies were used in these operations, redirecting connections to 34 backend servers controlled by the attackers. This setup allowed them to control and intercept RDP sessions.

“After the connection is established, the malicious server mimics the behavior of a legitimate RDP server and uses the session to perform various malicious actions,” Trend Micro explains. “The main attack vector involves deploying malicious scripts and changing system settings on the victim’s computer.”

As mentioned above, the group used the MiTM tool PyRDP, written in Python. This tool enabled attackers to intercept credentials and NTLM hashes in plain text, steal clipboard data, transfer files and data from shared drives in the background, and execute console and PowerShell commands upon new connections.

Researchers note that this attack technique was first described by cybersecurity expert Mike Felch in 2022, and it’s possible that his work inspired APT29 to adopt this tactic.

Evasion Techniques

The report also states that to evade detection, APT29 uses a sophisticated combination of commercial VPN products that accept cryptocurrency payments, Tor exit nodes, and residential proxies to hide the real IP addresses of their malicious RDP servers.