Remote Desktop Exploitation: A Deep Dive into Midnight Blizzard’s RDP Phishing Tactics
In late 2024, Russian state-sponsored threat actor APT29 (Midnight Blizzard) launched a sophisticated spear-phishing campaign leveraging weaponized .rdp files to gain covert access to critical infrastructure across the globe. This talk dissects the operation through the lens of CERT-UA#116903, demonstrating how adversaries abused Remote Desktop Protocol (RDP) in an unexpected, reverse-access fashion. We’ll explore how APT29 leveraged signed .rdp files and social engineering to lure victims across governments, NGOs, and academia. From infrastructure preparation and phishing lures to stealthy execution and persistent access, the session walks through every stage of the kill chain.
Speaker
Mickey De Baets
Lead Offensive Security Engineer
Mickey De Baets, a seasoned Penetration Tester, Red Teamer, and currently Lead Offensive Security Engineer at Vectra AI, brings a wealth of expertise in offensive security, focusing on complex threat landscapes. With a strong background in Red Teaming, Mickey actively contributes to cybersecurity education, teaching at Thomas More and hosting community meetups as a Belgian Hack The Box Ambassador... read more