RDStealer: The Custom Malware Behind a Highly-Targeted Cyber Attack

Every day, the digital world faces new cybersecurity threats and attacks. One of these threats that has recently emerged is the RDStealer, a custom malware that was used in a highly targeted cyber attack against an East Asian IT company. This attack highlights the growing sophistication of modern cyber attacks and the increasing importance of credentials and saved connections.

Overview of the Targeted Cyber Attack against an East Asian IT Company

The targeted cyber-attack was launched against an East Asian IT company with the aim of compromising its credentials and exfiltrating data. The attack had been in operation for over a year, with the attackers focusing on stealing sensitive data from the IT company’s network.

Duration and goal of the operation

The RDStealer malware was used in the cyber attack and was designed with the goal of continuously gathering clipboard content and keystroke data from infected hosts. The attackers were able to remain undetected for over a year as a result of this technique.

Machines infected during the incident

According to the security firm Bitdefender, all the machines that were infected during the incident were manufactured by Dell. The attackers may have chosen this approach to camouflage their malicious activity, making it more difficult to detect by IT staff.

The attack was characterized by the use of a server-side backdoor called RDStealer. This backdoor malware is written in Golang and is specifically designed to steal sensitive data. It monitors clipboard activity and keystrokes, and it also has the capability to monitor incoming Remote Desktop Protocol (RDP) connections.

The RDStealer malware is particularly formidable due to its capability to monitor incoming RDP connections and compromise a remote machine if client drive mapping is enabled. When a new RDP client connection is detected, the malware issues commands to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome.

Exfiltration of sensitive data by RDStealer

The sensitive data that RDStealer can steal from infected machines is significant. The malware can steal everything from browser history to saved credentials, and even private keys from various apps. This can include data from apps such as KeePass, Google Chrome, and other password management tools.

The RDP clients that are connected are infected with another Golang-based custom malware, called Logutil. This malware is used to maintain a persistent foothold on the victim network using DLL side-loading techniques and to facilitate command execution. The use of two different custom malware pieces indicates that the attackers were well-prepared and sophisticated.

Limited information is available about the threat actor. Not much is known about the individual or group responsible for this targeted cyber attack, except that it has been active since at least 2020. The attackers have chosen to remain anonymous and they have not yet been identified.

The increasing sophistication of modern cyber attacks and the importance of credentials and saved connections are highlighted by the use of custom malware such as RDStealer. Attackers are continuously devising new techniques to infiltrate their target’s networks and steal confidential data. This attack emphasizes the significance of securing credentials and saved connections as they can be compromised and utilized to extract sensitive information.

Custom malware such as RDStealer poses a clear and present danger that IT managers and cybersecurity professionals must be aware of. Keeping up-to-date with the latest techniques and methods used by attackers can help organizations prepare and defend against them. As cyber attacks become more sophisticated, it is critical for organizations to remain vigilant and take proactive measures to protect their networks and data.

Explore more

Can a Unified ERP System Future-Proof Levi Strauss?

Establishing a seamless digital environment for a brand that spans over a hundred nations is a monumental undertaking that requires more than just standard software updates. Currently, Levi Strauss & Co. is navigating a profound transformation of its digital infrastructure, aiming for a mid-2027 completion of a fully integrated global enterprise resource planning system. This strategic overhaul is not merely

Ethereum Faces $10 Billion Liquidation Risk Near $2,000

The current trajectory of Ethereum suggests a massive collision between aggressive retail speculation and sophisticated institutional sell-side pressure as the asset hovers near the $2,000 psychological threshold. This specific price point has historically served as a pivot for broader market sentiment, influencing the behavior of various decentralized finance protocols and secondary layer-two scaling solutions. Currently, the market exhibits a state

ClickLock Malware Coerces macOS Users to Surrender Passwords

Traditional macOS security architectures have long been celebrated for their robust sandboxing and gated execution, yet a new strain of malware is proving that the human element remains the most vulnerable entry point in any digital ecosystem. This threat, known as ClickLock, has emerged as a particularly aggressive evolution in the macOS threat landscape by prioritizing psychological pressure and social

Stalled Windows 11 Migration Poses Growing Security Risks

The global landscape of enterprise computing is currently grappling with a persistent digital divide as a significant segment of users continues to rely on Windows 10 despite the availability of more secure alternatives. The current ecosystem of digital infrastructure remains tethered to legacy architecture, with recent telemetry indicating that approximately one in six workstations worldwide continues to operate on Windows

How Is OpenAI Redefining AI With Precision Engineering?

The shift from experimental conversationalists to precise engineering tools has fundamentally altered the landscape of digital productivity and high-performance computing in 2026. This transition is marked by a move away from the early excitement surrounding generative models toward a rigorous framework centered on deep optimization and granular control. OpenAI has spearheaded this movement with the introduction of the GPT-5.6 Sol