• Earth Koshchei’s rogue remote desktop protocol (RDP) campaign used an attack methodology involving an RDP relay, rogue RDP server, and a malicious RDP configuration file, leading to potential data leakage and malware installation.
• Earth Koshchei is known for constantly innovating and using a variety of methods. In this campaign, they leveraged red team tools for espionage and data exfiltration.
• The spear-phishing emails used in Earth Koshchei’s campaign were designed to deceive recipients into using a rogue RDP configuration file, causing their machines to connect to one of the group’s 193 RDP relays.
• Earth Koshchei’s campaign showed significant preparation, registering more than 200 domain names between August and October of this year.
• The group used anonymization layers like commercial VPN services, TOR, and residential proxies to mask their operations, enhance their stealthiness, and complicate attribution efforts.