.
Earth Koshchei employed innovative tactics and red team tools in this espionage and data exfiltration campaign, using layers of anonymity such as commercial VPN services, TOR, and residential proxies to obscure its operations, enhance its stealth, and complicate attribution efforts.
This most recent campaign peaked in October 2024 and targeted governments, military organizations, think tanks, academic researchers, and Ukrainian entities, among others.
The group’s use of spear-phishing emails and advanced anonymization techniques has caused serious concern in the cybersecurity community.
How Does the Attack Work?
Earth Koshchei’s campaign used a multi-layered attack strategy. The core of the operation was a malicious RDP configuration file embedded in a spear-phishing email.
When the unsuspecting recipient opens the file, their device attempts to connect to the malicious RDP server through one of 193 relays set up by the attackers.
RDP attack method settings
The attack relied on a method known as “rogue RDP,” which Black Hills Information Security described in detail back in 2022. The technique used RDP relays, rogue servers, and malicious configurations.
RDP connection (Source: VirusTotal)
Using tools such as the Python Remote Desktop Protocol Man-in-the-Middle (MITM) framework (PyRDP), attackers intercept and manipulate RDP connections to gain partial control over the victim’s machine.
This enables data exfiltration, file browsing, and even the execution of malicious applications—all without deploying traditional malware.
The scale of Earth Koshchei’s attack campaign is staggering. Between August and October 2024, the group registered more than 200 domain names, many of which mimicked the identities of target organizations such as governments, IT companies, and research institutions.
Key preparation activities included setting up 34 malicious backend RDP servers to serve as the central command point for their operations.
According to a report by cybersecurity firm Trend Micro, the October 22 spear-phishing wave may be the culmination of a previously more low-key campaign of attacks that included testing infrastructure and targeting specific entities.
Schematic diagram of how Earth Koshchei controls its infrastructure
The October 22 campaign marked a major escalation, targeting approximately 200 high-profile victims in just one day, a campaign on a scale comparable to what other APT groups would take weeks to accomplish.
Earth Koshchei’s motivations appear to be primarily espionage. The group, allegedly linked to Russia’s Foreign Intelligence Service (SVR), has launched numerous attacks against Western countries’ diplomatic, military, energy, telecommunications, and IT sectors.
Its latest campaign fits that pattern, with victims including foreign ministries, military organizations and academic researchers.
The use of anonymity layers such as TOR, commercial VPNs, and residential proxies makes detection and attribution difficult.
These tactics allow attackers to hide their activities while leveraging compromised email servers to distribute phishing emails. Such routers and proxies add another level of complexity to the operation.
A Red Team Blueprint Turned Malicious
Security experts stressed that Earth Koshchei’s rogue RDP tactics likely drew inspiration from red team methods designed to strengthen organizational defenses.
Attackers have effectively exploited these techniques, demonstrating how cybersecurity innovations can be used for malicious purposes.
For example, one RDP profile analyzed redirected victims to a malicious server posing as an Amazon Web Services (AWS) instance.
The file also exploited features such as drive redirection and resource sharing to covertly extract sensitive data. In the October attack wave, it is estimated that data from three key organizations was compromised, including two military entities and a cloud provider.
Attribution and Implications
While exact attribution remains complex, Trend Micro and others have linked the activity to Earth Koshchei, citing the group’s unique tactics, techniques, and procedures (TTPs).
These findings are further bolstered by the fact that both Microsoft and Amazon have previously attributed similar attacks to APT29/Midnight Blizzard.
The activity is indicative of a disturbing trend: Legitimate tools and methods, such as red team techniques, are increasingly being used for malicious purposes.
This evolution highlights the need for advanced network security measures, including blocking untrusted outbound RDP connections and prohibiting the transmission of suspicious configuration files via email.
Organizations are urged to strengthen their defenses against such attacks. Blocking outbound RDP connections to untrusted servers, monitoring for malicious configuration files, and leveraging threat intelligence platforms such as Trend Micro Vision One are key steps to reduce risk.
Trend Micro has classified the malicious RDP profile used in this campaign as Trojan.Win32.HUSTLECON.A.
The company’s global threat intelligence network continuously delivers actionable insights to help organizations stay ahead of evolving cyber threats.
SOC (Security Operations Center) and DFIR (Digital Forensics and Incident Response) teams can leverage the provided Indicators of Compromise (IOCs) to identify and analyze potential malicious activity within their environment.
