The Russia-linked advanced persistent threat (APT) group APT29, also known as Earth Koshchei and Midnight Blizzard, has been observed repurposing a legitimate red teaming attack methodology to launch sophisticated cyberattacks.

According to a report by Trend Micro, the group has adopted a “rogue Remote Desktop Protocol (RDP)” technique to target governments, armed forces, think tanks, academic researchers, and Ukrainian entities. This method, initially documented by Black Hills Information Security in 2022 as a legitimate red team tactic, has been weaponized by Earth Koshchei for malicious purposes .

The campaign, which peaked in October 2024, involved spear-phishing emails designed to trick recipients into launching malicious RDP configuration files. The files directed victims' computers to connect to rogue RDP servers via one of the group's 193 established RDP relays.

The technique employs an RDP relay, rogue RDP server, and malicious configuration files. Victims unknowingly grant attackers partial control of their machines.

Trend Micro revealed that Earth Koshchei registered more than 200 domain names between August and October 2024 to support the campaign. The group leveraged anonymization layers, including commercial VPN services, the TOR network, and residential proxies, to mask their operations and complicate attribution efforts.

Spear-phishing emails were sent from at least five legitimate but compromised mail servers.

Earth Koshchei has long been associated with cyber-espionage activities aimed at Western governments and industries. Known for its adaptive tactics, the group has previously deployed methods like password spraying, brute-forcing dormant accounts, and watering hole attacks.