Researchers tricked cybercriminals into revealing their secrets

Researchers tricked cybercriminals into revealing their secrets

Security researchers at GoSecure were able to take a glimpse at how hackers are conducting their nefarious activities through a carefully designed trap involving a network of internet-exposed Windows servers with Remote Desktop Protocol (RDP) enabled, meaning that threat actors could remotely control the compromised machines.

The researchers run the honeypot for three years, accumulating over 190 million events, including 100 hours of video footage, 470 files collected from threat actors, and more than 20,000 RDP captures. This allowed them to better understand how malicious actors install malware, mine cryptocurrencies, launch DDoS attacks using compromised servers, and conduct fraud operations.

GoSecure classified attackers into five groups based on their behaviors:

Rangers explore all the folders of the computer, check the network and host performance characteristics, and run reconnaissance by clicking or by using programs/scripts. No other meaningful actions are undertaken.

Thieves try to monetize the RDP access. After taking control of the computer by changing the credentials to access it, they perform different activities that aim to take advantage of this access.

Barbarians use a large array of tools to brute-force their way into more computers. They leverage the compromised system to attempt to breach other systems by working with lists of IP addresses, usernames and passwords.

Wizards use the RDP access as a portal to connect to another computer that was compromised in a similar fashion. This strategy is good operational security: they hide their identity via jumps over compromised hosts. To do so, they demonstrate a high level of skill by carefully living off the land.

Bards are individuals with no apparent hacking skills. They access the system to accomplish basic tasks like looking for viruses through a simple Google search or to watch pornography. They likely buy RDP access from a third party such as Initial Access Brokers (IABs) - threat actors that sell cyberciminals access to compromised networks, the researchers believe.

The researchers presented their findings last week at the Black Hat cybersecurity conference in Las Vegas.

Back to the list

Latest Posts

Cyber Security Week in Review: April 4, 2025

Cyber Security Week in Review: April 4, 2025

In brief: New Ivanti zero-day exploited by Chinese hackers, police shut down the Kidflix CSAM platform, and more.
4 April 2025
UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

This activity has been ongoing since at least the fall of 2024.
3 April 2025
Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025