Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations
Essential information
- Published
- 14/01/2026 19:24
- Modified
- 15/01/2026 11:31
- Tags
- 2026-01-14 account takeover business email compromise cryptocurrency cybercrime financial fraud phishing redvds windows rdp
- Related entities
- 1 observables, 1 intrusion sets (apt), 11 techniques (mitre), 15 others
Description
RedVDS, a virtual dedicated server provider, has been utilized by multiple financially motivated threat actors for business email compromise, phishing, account takeover, and financial fraud. The service offers inexpensive Windows-based RDP servers with full administrator control, attracting cybercriminals worldwide. Microsoft's investigation revealed a global network targeting multiple sectors across various countries. RedVDS uses a single, cloned Windows host image, leaving unique technical fingerprints. The service operates through cryptocurrency payments and supports various digital currencies. Microsoft's analysis uncovered the infrastructure, provisioning methods, and tools deployed on RedVDS hosts, including mass mailers, email harvesters, privacy tools, and automation scripts.