Microsoft introduced on Wednesday that it has teamed up with regulation enforcement to focus on RedVDS, a cybercrime service that has facilitated a variety of malicious actions.
Launched in 2019, RedVDS is a digital devoted server (VDS) service that permits cybercriminals to arrange disposable Home windows-based RDP servers that they will then leverage for mass phishing, BEC assaults, monetary fraud, and account takeover.
A subscription prices as little as $24 per 30 days, however reported fraud losses tied to RedVDS complete $40 million within the US alone, Microsoft mentioned. For example, the tech big named an Alabama pharmaceutical firm that misplaced over $7.3 million following a BEC assault that concerned the cybercrime service.
In line with Microsoft, cybercriminals have used RedVDS to focus on organizations in america, the UK, Canada, France, Germany, and Australia, together with sectors similar to authorized, manufacturing, healthcare, actual property, building, and schooling.
The tech big tracks the menace group that operates and develops RedVDS as Storm-2470.
Microsoft was capable of hyperlink many assaults to RedVDS attributable to a lot of the digital servers utilizing the identical base Home windows set up. The servers had been generated from the identical Home windows Server 2022 picture, and the server situations had the identical pc identify.Commercial. Scroll to proceed studying.
“This host fingerprint seems in RDP certificates and system telemetry, serving as a core indicator of RedVDS exercise. The underlying trick is that Storm-2470 created one Home windows digital machine (VM) and repeatedly cloned it with out customizing the system identification,” Microsoft defined.
These RedVDS servers don’t conduct the precise malicious exercise on their very own. As an alternative, they are often provisioned by menace actors for malicious actions.
The corporate’s evaluation confirmed that the RedVDS servers had been used for a variety of functions. Some cybercriminals put in mass mailer utilities that they used to ship out spam and phishing emails. Others put in e-mail deal with harvesters that enabled them to create goal lists.
Cybercriminals additionally put in privacy-focused browsers and VPNs on their servers, in addition to distant entry instruments similar to AnyDesk. A number of the service’s customers additionally leveraged AI instruments to enhance their operations, Microsoft reported.
The corporate noticed, in only one month, 2,600 RedVDS VMs sending a median of 1 million phishing emails per day to Microsoft prospects.
“Whereas most had been blocked or flagged as a part of the 600 million cyberattacks Microsoft blocks per day, the sheer quantity meant a small proportion might have succeeded in reaching the targets’ inbox,” Microsoft mentioned. “Since September 2025, RedVDS‑enabled assaults have led to the compromise or fraudulent entry of greater than 191,000 Microsoft e-mail accounts throughout over 130,000 organizations worldwide.”
RedVDS disrupted
Microsoft has teamed up with worldwide regulation enforcement to disrupt RedVDS. Actions taken in opposition to the cybercrime service embrace the seizure of domains related to the RedVDS market and buyer portal.
Key servers have additionally been seized, and Microsoft is working with regulation enforcement to disrupt cost networks related to the service.
Microsoft has filed authorized motion in america — and for the primary time in the UK — in an effort to disrupt RedVDS infrastructure and determine the people behind the operation.
The information comes simply months after Microsoft and Cloudflare teamed as much as disrupt the RaccoonO365 phishing service. A number of the menace actors that used the RaccoonO365 service earlier than its takedown have additionally used RedVDS.
Associated: Microsoft Disrupts ONNX Phishing Service, Names Its Operator
Associated: Google Says Chinese language ‘Lighthouse’ Phishing Package Disrupted Following Lawsuit
Associated: RaccoonO365 Phishing Service Disrupted, Chief Recognized
