RDStealer: The Custom Malware Behind a Highly-Targeted Cyber Attack

Every day, the digital world faces new cybersecurity threats and attacks. One of these threats that has recently emerged is the RDStealer, a custom malware that was used in a highly targeted cyber attack against an East Asian IT company. This attack highlights the growing sophistication of modern cyber attacks and the increasing importance of credentials and saved connections.

Overview of the Targeted Cyber Attack against an East Asian IT Company

The targeted cyber-attack was launched against an East Asian IT company with the aim of compromising its credentials and exfiltrating data. The attack had been in operation for over a year, with the attackers focusing on stealing sensitive data from the IT company’s network.

Duration and goal of the operation

The RDStealer malware was used in the cyber attack and was designed with the goal of continuously gathering clipboard content and keystroke data from infected hosts. The attackers were able to remain undetected for over a year as a result of this technique.

Machines infected during the incident

According to the security firm Bitdefender, all the machines that were infected during the incident were manufactured by Dell. The attackers may have chosen this approach to camouflage their malicious activity, making it more difficult to detect by IT staff.

The attack was characterized by the use of a server-side backdoor called RDStealer. This backdoor malware is written in Golang and is specifically designed to steal sensitive data. It monitors clipboard activity and keystrokes, and it also has the capability to monitor incoming Remote Desktop Protocol (RDP) connections.

The RDStealer malware is particularly formidable due to its capability to monitor incoming RDP connections and compromise a remote machine if client drive mapping is enabled. When a new RDP client connection is detected, the malware issues commands to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome.

Exfiltration of sensitive data by RDStealer

The sensitive data that RDStealer can steal from infected machines is significant. The malware can steal everything from browser history to saved credentials, and even private keys from various apps. This can include data from apps such as KeePass, Google Chrome, and other password management tools.

The RDP clients that are connected are infected with another Golang-based custom malware, called Logutil. This malware is used to maintain a persistent foothold on the victim network using DLL side-loading techniques and to facilitate command execution. The use of two different custom malware pieces indicates that the attackers were well-prepared and sophisticated.

Limited information is available about the threat actor. Not much is known about the individual or group responsible for this targeted cyber attack, except that it has been active since at least 2020. The attackers have chosen to remain anonymous and they have not yet been identified.

The increasing sophistication of modern cyber attacks and the importance of credentials and saved connections are highlighted by the use of custom malware such as RDStealer. Attackers are continuously devising new techniques to infiltrate their target’s networks and steal confidential data. This attack emphasizes the significance of securing credentials and saved connections as they can be compromised and utilized to extract sensitive information.

Custom malware such as RDStealer poses a clear and present danger that IT managers and cybersecurity professionals must be aware of. Keeping up-to-date with the latest techniques and methods used by attackers can help organizations prepare and defend against them. As cyber attacks become more sophisticated, it is critical for organizations to remain vigilant and take proactive measures to protect their networks and data.

Explore more

Is AI Fueling Microsoft’s Record-Breaking 570 Patches?

The sheer volume of security vulnerabilities emerging within the enterprise ecosystem has reached a critical inflection point, forcing a fundamental reassessment of how major software vendors manage their codebases. As Microsoft crosses the threshold of issuing 570 distinct patches within a single reporting cycle, industry analysts are looking closely at the underlying drivers of this surge. A primary suspect in

Claude or GitHub Copilot: Which Is Best for Your Enterprise?

The current landscape of corporate technology has shifted fundamentally as generative artificial intelligence moves from being a speculative novelty to a central pillar of global production infrastructure. Today’s enterprises are no longer merely experimenting with automation or basic chatbots; they are actively integrating sophisticated “smart workers” directly into their most sensitive IT frameworks to maintain a competitive edge. This evolution

How AI Revolutionizes Social Media Analytics in 2026

The rapid integration of generative models into social media infrastructure has fundamentally altered how organizations interpret the chaotic flow of digital information. No longer are marketing professionals forced to manually sift through endless spreadsheets or rely on delayed monthly reports to understand consumer sentiment. Instead, the current technological environment provides a seamless stream of real-time intelligence that identifies shifts in

The Structural Shift Toward Creator Equity in B2B Marketing

The era of the transactional influencer campaign has reached a decisive turning point as sophisticated organizations begin to realize that renting an audience for a few weeks is far less effective than owning a share of the attention economy through permanent equity partnerships. For years, the standard operating procedure for Business-to-Business marketing involved paying flat fees for sponsored posts or

SMBs Must Adopt AI Defense to Match Rapid Cyber Threats

The sophisticated landscape of digital warfare has reached a point where manual intervention is no longer a viable primary defense mechanism for small and medium-sized enterprises. Cybercriminals are currently leveraging advanced automation and generative models to execute reconnaissance that used to take months in a matter of mere hours or even minutes. This shift in the threat actor’s playbook allows