Inside RedVDS: How a Single Virtual Desktop Provider Fueled Worldwide Cybercriminal Operations

Inside RedVDS: How a Single Virtual Desktop Provider Fueled Worldwide Cybercriminal Operations www.microsoft.com/en-us/sec… Over the past year, Microsoft Threat Intelligence observed the expansion of RedVDS, a virtual dedicated server (VDS) provider leveraged by multiple financially motivated threat actors to conduct business email compromise, mass phishing, account takeover, and financial fraud. Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of unrelated cybercriminals using the platform to target multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education. Impacted regions included the United States, Canada, the United Kingdom, France, Germany, Australia, and other countries with substantial banking infrastructure and higher potential for financial gain. In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit recently facilitated the disruption of RedVDS infrastructure and associated criminal operations. Microsoft determined that RedVDS operated as a criminal marketplace, selling illegal software and services that enabled cybercrime. The service offered a feature-rich interface for purchasing unlicensed, low-cost Windows-based Remote Desktop Protocol servers with full administrator privileges and no usage limits — capabilities actively exploited by threat actors. The investigation also revealed that RedVDS reused a single cloned Windows host image across its environment, creating unique technical fingerprints that defenders can leverage for detection and mitigation.