Midnight Blizzard Targets Networks With Signed RDP Files

The Russian-backed group is using a novel access vector to harvest victim data and compromise devices in a large-scale intelligence-gathering operation.

Midnight Blizzard, a threat group linked to Russias foreign intelligence service, is stoking more concern than usual for both its sheer scope and its use of a new tactic for harvesting information and gaining control of victim systems.
Microsoft this week said its threat intelligence group observed Midnight Blizzard actors sending out thousands of spear-phishing emails to targeted individuals at more than 100 organizations worldwide since Oct. 22.
Besides its wide scope, the campaign is noteworthy for Midnight Blizzards use of a digitally signed Remote Desktop Protocol (RDP) configuration file in its spear-phishing emails. The RDP file connects to a server controlled by a threat actor; when the file is opened, it allows the attacker to harvest user credentials and detailed system information to aid further exploit activity.
The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of zero trust,
Microsoft said
on its threat intelligence group blog this week. Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the UK, Europe, Australia, and Japan.
Midnight Blizzard — aka Cozy Bear, APT29, and UNC2452 — has been the proverbial thorn in the side of security organizations for some years now. The groups many victims include
SolarWinds
,
Microsoft
,
HPE
, multiple
US federal government agencies
, and
diplomatic entities
worldwide. Its well-documented tactics, techniques, and procedures (TTPs) include using spear phishing, stolen credentials, and supply chain attacks for initial access. Midnight Blizzard actors have also targeted vulnerabilities in widely used networking and collaboration technologies such as those from Fortinet, Pulse Secure, Citrix, and Zimbra to gain an initial toehold on a target network.
The RDP file in the Microsoft, AWS, and zero-trust themed emails in Midnight Blizzards latest campaign allows the attacker to establish a quick, bidirectional connection with a compromised device. The threat actor is using it to harvest a range of information including user credentials, files, and directories on the victim system and connected network drives; information from connected smart cards and other peripherals; Web authentication credentials; and clipboard data. The RDF file is signed with a LetsEncrypt certificate to lend it an air of legitimacy. This access could enable the threat actor to install malware on the targets local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access Trojans (RATs) to maintain access when the RDP session is closed, Microsoft cautioned.
Stephen Kowski, field CTO at SlashNext, says Midnight Blizzards use of signed RDP files in its current campaign is significant. Signed RDP files can bypass traditional security controls since they appear to come from a legitimate source, he points out.
This technique is particularly cunning because RDP files are commonly used in business environments, making them less likely to raise immediate suspicion, while the legitimate signature helps evade standard malware detection systems, he says. He advocates that organizations scan all email attachments in real time, with a particular focus on RDP files and other seemingly legitimate Microsoft-related content. The use of legitimately signed files creates a significant blind spot for conventional security tools that rely heavily on signature-based detection or reputation scoring, Kowski advises.
Microsoft has released a list of indicators of compromise for the new Midnight Blizzard campaign, including email sender domains, RDP files, and RDP remote computer domains. It has recommended that security teams review their organizational email security settings and antivirus and anti-phishing measures; turn on
Safe Links
and
Safe Attachments
settings in Office 365; and enable measures for quarantining sent email if needed. Other recommendations include using firewalls to block RDP connections, implementing multifactor authentication, and strengthening endpoint security configurations.
Venky Raju, field CTO at ColorTokens, says the campaign is a reminder why organizations need to maintain a tight rein over the use of Microsofts remote desktop. While it can be useful to share devices, folders, and clipboard content over an RDP session, it gives attackers a way into a users device. Signing the RDP configuration file may prevent email security systems from classifying the email as having a suspicious link or attachment. It may also reduce the warnings presented by the RDP client, he points out.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Midnight Blizzard Targets Networks With Signed RDP Files