Russian APT Hacker Observed Deploying Unusual RDP Tactics

A Russian nation-state threat actor, tracked as UNC5837, exploited lesser-known features of Microsoft Windows Remote Desktop Protocol (RDP) to target European organizations for espionage. The campaign involved phishing emails with signed .rdp file attachments, leading to RDP connections and the deployment of a malicious application. Google recommends limiting file read activity, blocking outgoing RDP traffic, and blocking .rdp file extensions in email attachments to prevent similar attacks.