Just 21 IP Addresses Are Now Behind Nearly Half of All RDP Scanning on the Internet
ATT&CK techniques detected
T1021.001Remote Desktop Protocol
67%
"rdp - related share to ~ 88 %. inside the fleet as213438 had 32 active ip addresses in the 48 - hour window, but only 21 of them are tagged by greynoise as rdp crawler — the fleet behind the headline numbers. the remaining 11 ips in the asn are engaged in unrelated activity : web…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
57%
"just 21 ip addresses are now behind nearly half of all rdp scanning on the internet a fleet of 21 ip addresses is now generating nearly half of all the rdp scanning traffic on the public internet. on april 7, 2026 alone, those ips produced 1, 856, 167 of the 2, 753, 274 rdp crawl…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders.