Executive Summary

Microsoft, in collaboration with international law enforcement agencies including Europol and German authorities, has disrupted the RedVDS cybercrime-as-a-service platform as of January 2026. RedVDS provided disposable, Windows-based virtual servers for as little as $24 per month, paid in cryptocurrency, and was used by multiple financially motivated threat actors to facilitate mass phishing, credential theft, business email compromise (BEC), and payment diversion fraud. Since March 2025, RedVDS-enabled activity has resulted in at least $40 million in fraud losses in the United States alone, with over 191,000 Microsoft email accounts compromised across 130,000 organizations worldwide since September 2025. Sectors impacted include real estate, legal, construction, manufacturing, healthcare, logistics, and education. The infrastructure was disrupted through domain seizures, server takedowns, and civil actions in the US and UK. Technical analysis revealed the use of a single cloned Windows Server 2022 image, mass mailer and phishing tools, privacy browsers, VPNs, and automation scripts. RedVDS did not own datacenters but rented from third-party providers in multiple countries, aiding evasion of geolocation-based security. No suspects have been publicly named as of the reporting date. All information in this summary is directly sourced from the Microsoft Security Blog (https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/), CyberScoop (https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/), and The Record (https://therecord.media/microsoft-redvds-cybercrime-scam).

Technical Information

RedVDS operated as a cybercrime-as-a-service platform, providing disposable, Windows-based virtual servers to threat actors globally. The service was accessible for as little as $24 per month, with payments accepted in various cryptocurrencies including Bitcoin, Litecoin, Monero, Binance Coin, Avalanche, Dogecoin, and TRON. The technical infrastructure of RedVDS was built on a single, cloned Windows Server 2022 image, with all instances sharing the same computer name (WIN-BUNS25TD77J) and technical fingerprint. This uniformity allowed defenders to identify RedVDS-provisioned hosts through RDP certificates and system telemetry (https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/).

The provisioning process utilized QEMU virtualization and VirtIO drivers to rapidly generate cloned Windows instances on demand. When a customer ordered a server, an automated process copied the master VM image onto a new host, resulting in servers that were nearly identical except for IP address and, in some cases, a hostname prefix. RedVDS did not own physical datacenters; instead, it rented servers from third-party hosting providers in the United States, Canada, United Kingdom, France, and the Netherlands. This allowed threat actors to select geolocations close to their targets, aiding in the evasion of location-based security controls and blending malicious traffic with legitimate data center activity (https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/).

RedVDS’s user interface was designed to be feature-rich and accessible, enabling cybercriminals to purchase unlicensed and inexpensive Windows-based Remote Desktop Protocol (RDP) servers with full administrator control and no usage limits. The marketplace also offered a loyalty program and referral bonuses, further incentivizing criminal activity. The service operated publicly since 2019, using domains such as redvds[.]com, redvds[.]pro, and vdspanel[.]space, and claimed to be governed by Bahamian law through a fictitious entity.

The technical toolkit observed on RedVDS instances included mass mailer utilities such as SuperMailer, UltraMailer, BlueMail, SquadMailer, and Email Sorter Pro/Ultimate; email address harvesters like Sky Email Extractor; privacy and OPSEC tools including Waterfox, Avast Secure Browser, Norton Private Browser, NordVPN, ExpressVPN, and SocksEscort; remote access software such as AnyDesk; and automation and scripting tools including Python, Microsoft Power Automate, and ChatGPT/OpenAI tools. These tools enabled threat actors to conduct mass phishing, credential harvesting, account takeover, and financial fraud with minimal friction (https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/).

RedVDS infrastructure was used to send an average of one million phishing messages per day over a month, with more than 2,600 virtual machines involved. Over 30 days, more than 7,300 IP addresses linked to RedVDS infrastructure collectively hosted over 3,700 domains designed to impersonate legitimate platforms. These domains were used to harvest credentials and session tokens, allowing attackers to bypass multi-factor authentication and gain access to sensitive mailboxes (https://therecord.media/microsoft-redvds-cybercrime-scam).

The attack lifecycle typically began with the purchase of RDP access to a RedVDS server, followed by the deployment of phishing kits and mass mailers. Attackers harvested credentials and session tokens, accessed mailboxes, and searched for financial conversations, invoices, or supplier information. Payment diversion fraud was then executed by inserting themselves into email chains and redirecting payments to attacker-controlled accounts. The uniform, disposable nature of RedVDS servers allowed cybercriminals to rapidly iterate campaigns, automate delivery at scale, and move quickly from initial targeting to financial theft.

RedVDS was operated by a threat actor tracked by Microsoft as Storm-2470 (high confidence, based on direct infrastructure and operational evidence). Other groups, including Storm-0259, Storm-2227, Storm-1575, Storm-1747, and actors using the RacoonO365 phishing service prior to its takedown in October 2025, also leveraged RedVDS infrastructure (medium confidence, based on observed infrastructure overlap and tool usage).

The attack methods observed align with several MITRE ATT&CK techniques, including Valid Accounts (T1078), External Remote Services (T1133), Command and Scripting Interpreter (T1059), Account Manipulation (T1098), Obfuscated Files or Information (T1027), Phishing (T1566), Input Capture (T1056), Email Collection (T1114), Application Layer Protocol (T1071), and Data Manipulation (T1565).

Affected Versions & Timeline

RedVDS launched its website in 2019 and operated publicly until its disruption in January 2026. The primary domains used were redvds[.]com, redvds[.]pro, and vdspanel[.]space. The service provisioned Windows Server 2022 virtual machines, all cloned from a single base image with the computer name WIN-BUNS25TD77J. The infrastructure was traced to at least five third-party hosting providers in the United States, Canada, United Kingdom, France, and the Netherlands.

Significant activity and impact were observed since March 2025, with at least $40 million in fraud losses reported in the United States alone. Since September 2025, RedVDS-enabled attacks have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations worldwide. The disruption of RedVDS infrastructure occurred in January 2026, following coordinated actions by Microsoft, Europol, and German authorities, including domain seizures, server takedowns, and civil actions in the US and UK (https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/).

Threat Activity

RedVDS enabled a wide range of cybercriminal activity, primarily focused on mass phishing, credential theft, business email compromise, and payment diversion fraud. The platform was used by multiple threat actors, including Storm-2470 (operator), Storm-0259, Storm-2227, Storm-1575, Storm-1747, and users of the RacoonO365 phishing service. The service’s low cost, ease of use, and anonymity (enabled by cryptocurrency payments and privacy tools) made it attractive to cybercriminals worldwide.

Attackers used RedVDS servers to send high volumes of phishing emails, host scam infrastructure, and facilitate fraud such as business email compromise. Over a single month, more than 2,600 RedVDS virtual machines sent an average of one million phishing messages per day. These campaigns targeted organizations in sectors including real estate, legal, construction, manufacturing, healthcare, logistics, and education. Notable victims include H2 Pharma, which lost over $7.3 million, and Gatehouse Dock Condominium Association, which lost nearly $500,000 (https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/).

In the real estate sector, over 9,000 customers in Canada and Australia were directly impacted by payment diversion fraud, with attackers targeting realtors, escrow agents, and title companies. Attackers typically broke into email accounts, monitored conversations, and inserted themselves into email chains in advance of payments or wire transfers. By impersonating trusted parties, they were able to divert funds before organizations realized the fraud had occurred (https://therecord.media/microsoft-redvds-cybercrime-scam).

The technical indicators associated with RedVDS activity include the unique computer name WIN-BUNS25TD77J, consistent use of a Windows Eval 2022 license, and a recurring set of mass mailer, privacy, and automation tools. Over 7,300 IP addresses and 3,700 domains were linked to RedVDS infrastructure, many of which were used to impersonate legitimate platforms and harvest credentials.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Organizations should immediately review authentication logs and email account activity for evidence of unauthorized access, especially from hosts with the computer name WIN-BUNS25TD77J or from IP addresses associated with third-party hosting providers in the United States, Canada, United Kingdom, France, and the Netherlands. Any accounts showing signs of compromise should have credentials reset and multi-factor authentication (MFA) enforced.

High: Security teams should update detection rules to identify RDP connections from hosts with the unique technical fingerprint associated with RedVDS (WIN-BUNS25TD77J, Windows Eval 2022 license). Review and block known malicious IP addresses and domains linked to RedVDS infrastructure. Implement strict controls on the use of RDP and restrict access to only trusted, managed devices.

High: Conduct targeted phishing awareness training for employees, with a focus on identifying business email compromise and payment diversion fraud tactics. Emphasize the risks of urgent payment requests and changes to payment account information.

Medium: Review and harden email filtering and anti-phishing controls to detect and block mass phishing campaigns and credential harvesting attempts. Monitor for the use of mass mailer tools and automation scripts within the organization’s environment.

Medium: Audit and restrict the use of privacy browsers, VPNs, and remote access tools such as AnyDesk on corporate systems, as these are commonly used by threat actors to evade detection and maintain persistence.

Low: Monitor for the use of automation and scripting tools such as Python, Microsoft Power Automate, and ChatGPT/OpenAI tools, especially in contexts where such tools are not required for business operations.

Organizations are advised to stay informed of new indicators of compromise and threat intelligence updates related to RedVDS and similar cybercrime-as-a-service platforms. Collaboration with law enforcement and industry partners is recommended for ongoing threat monitoring and response.

References

Microsoft Security Blog, January 14, 2026: https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/

CyberScoop, January 14, 2026: https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/

The Record, January 14, 2026: https://therecord.media/microsoft-redvds-cybercrime-scam

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and supply chain partners. Our platform supports the identification of exposed infrastructure, detection of suspicious remote access services, and monitoring for credential compromise and phishing activity across the extended enterprise. For questions or further information, contact us at ops@rescana.com.