Microsoft on Wednesday introduced that it has taken a “coordinated authorized motion” within the U.S. and the U.Ok. to disrupt a cybercrime subscription service referred to as RedVDS that has allegedly fueled hundreds of thousands in fraud losses.
The hassle, per the tech big, is a part of a broader regulation enforcement effort in collaboration with regulation enforcement authorities that has allowed it to confiscate the malicious infrastructure and take the illicit service (“redvds[.]com”) offline.
“For as little as US $24 a month, RedVDS supplies criminals with entry to disposable digital computer systems that make fraud low cost, scalable, and troublesome to hint,” stated Steven Masada, assistant normal counsel of Microsoft’s Digital Crimes Unit. “Since March 2025, RedVDS‑enabled exercise has pushed roughly US $40 million in reported fraud losses in america alone.”
Crimeware-as-a-service (CaaS) choices have more and more turn out to be a profitable enterprise mannequin, reworking cybercrime from what as soon as was an unique area that required technical experience into an underground financial system the place even inexperienced and aspiring risk actors can perform complicated assaults rapidly and at scale.
These turnkey providers span a large spectrum of modular instruments, starting from phishing kits to stealers to ransomware, successfully contributing to the professionalization of cybercrime and rising as a catalyst for classy assaults.
Microsoft stated RedVDS was marketed as a web based subscription service that gives low cost and disposable digital computer systems working unlicensed software program, together with Home windows, in order to empower and allow criminals to function anonymously and ship excessive‑quantity phishing emails, host rip-off infrastructure, pull off enterprise electronic mail compromise (BEC) schemes, conduct account takeovers, and facilitate monetary fraud.
Particularly, it served as a hub for buying unlicensed and cheap Home windows-based Distant Desktop Protocol (RDP) servers with full administrator management and no utilization limits via a feature-rich person interface. RedVDS, apart from offering servers positioned in Canada, the U.S., France, the Netherlands, Germany, Singapore, and the U.Ok., additionally provided a reseller panel to create sub-users and grant them entry to handle the servers with out having to share entry to the principle web site.
An FAQ part on the web site famous that customers can leverage its Telegram bot to handle their servers from inside the Telegram app as an alternative of getting to log in to the location. Notably, the service didn’t preserve exercise logs, making it a horny selection for illicit use.
Based on snapshots captured on the Web Archive, RedVDS was marketed as a technique to “improve your productiveness and make money working from home with consolation and ease.” The service, the maintainers stated on the now-seized web site, was first based in 2017 and operated on Discord, ICQ, and Telegram. The web site was launched in 2019.
“RedVDS is steadily paired with generative AI instruments that assist establish excessive‑worth targets sooner and generate extra lifelike, multimedia message electronic mail threads that mimic professional correspondences,” the corporate stated, including it “noticed attackers additional increase their deception by leveraging face-swapping, video manipulation, and voice cloning AI instruments to impersonate people and deceive victims.”
RedVDS instrument infrastructure
Since September 2025, assaults fueled by RedVDS are stated to have led to the compromise or fraudulent entry of greater than 191,000 organizations worldwide, underscoring the prolific attain of the service.
The Home windows maker, which is monitoring the developer and maintainer of RedVDS beneath the moniker Storm-2470, stated it has recognized a “world community of disparate cybercriminals” leveraging the infrastructure offered by the legal market to strike a number of sectors, together with authorized, development, manufacturing, actual property, healthcare, and schooling within the U.S., Canada, U.Ok., France, Germany, Australia, and international locations with substantial banking infrastructure targets.
RedVDS assault chain
Among the notable risk actors embrace, Storm-2227, Storm-1575, Storm-1747, and phishing actors who used the RaccoonO365 phishing package previous to its disruption in September 2025. The infrastructure was particularly used to host a toolkit comprising each malicious and dual-use software program –
Mass spam/phishing electronic mail instruments like SuperMailer, UltraMailer, BlueMail, SquadMailer, and E-mail Sorter Professional/Final
E-mail handle harvesters like Sky E-mail Extractor to scrape or validate massive numbers of electronic mail addresses
Privateness and OPSEC instruments like Waterfox, Avast Safe Browser, Norton Personal Browser, NordVPN, and ExpressVPN
Distant entry instruments like AnyDesk
One risk actor is alleged to have used the provisioned hosts to programmatically (and unsuccessfully) ship emails by way of Microsoft Energy Automate (Movement) utilizing Excel, whereas different RedVDS customers leveraged ChatGPT or different OpenAI instruments to craft phishing lures, collect intelligence about organizational workflows to conduct fraud, and distribute phishing messages designed to reap credentials and take management of victims’ accounts.
RedVDS choices
The tip aim of those assaults is to mount extremely convincing BEC scams, allowing the risk actors to inject themselves into professional electronic mail conversations with suppliers and difficulty fraudulent invoices to trick targets into transferring funds to a mule account beneath their management.
Apparently, its Phrases of Service prohibited clients from utilizing RedVDS for sending phishing emails, distributing malware, transferring unlawful content material, scanning techniques for safety vulnerabilities, or partaking in denial-of-service (DoS) assaults. This implies the risk actors’ obvious effort to restrict or escape legal responsibility.
Microsoft additional stated it “recognized assaults displaying hundreds of stolen credentials, invoices stolen from goal organizations, mass mailers, and phish kits, indicating that a number of Home windows hosts have been all created from the identical base Home windows set up.”
“Extra investigations revealed that a lot of the hosts have been created utilizing a single laptop ID, signifying that the identical Home windows Eval 2022 license was used to create these hosts. By utilizing the stolen license to make photographs, Storm-2470 offered its providers at a considerably decrease value, making it enticing for risk actors to buy or purchase RedVDS providers.”
The digital Home windows cloud servers have been generated from a single Home windows Server 2022 picture, via RDP. All recognized situations used the identical laptop title, WIN-BUNS25TD77J. It is assessed that Storm-2470 created one Home windows digital machine (VM) and repeatedly cloned it with out altering the system id.
The cloned Home windows situations are created on demand utilizing Fast Emulator (QEMU) virtualization expertise mixed with VirtIO drivers, with an automatic course of copying the grasp digital machine (VM) picture onto a brand new host each time a server is ordered in change for a cryptocurrency fee. This technique made it doable to spin up contemporary RDP hosts inside minutes, permitting cybercriminals to scale their operations.
“Risk actors used RedVDS as a result of it offered a extremely permissive, low-cost, resilient atmosphere the place they might launch and conceal a number of phases of their operation,” Microsoft stated. “As soon as provisioned, these cloned Home windows hosts gave actors a prepared‑made platform to analysis targets, stage phishing infrastructure, steal credentials, hijack mailboxes, and execute impersonation‑based mostly monetary fraud with minimal friction.
