Microsoft announced Wednesday that it has taken “coordinated legal action” in the United States and United Kingdom to disrupt a cybercrime subscription service called RedVDS that is said to have caused millions in fraudulent losses.
The tech giant said the effort was part of a broader law enforcement operation in collaboration with law enforcement authorities to seize malicious infrastructure and enable the use of illegal services (“redvds”).[.]com”) offline.
“For just $24 a month, RedVDS provides criminals with access to a disposable virtual computer, making fraud cheaper, more scalable, and harder to track,” said Steven Masada, Assistant Attorney General in Microsoft’s Digital Crimes Division. “Since March 2025, approximately USD 40 million in fraudulent losses have been reported in the United States alone due to RedVDS-enabled activity.”
Crimeware-as-a-Service (CaaS) services have become an increasingly lucrative business model, transforming cybercrime from a once exclusive domain requiring technical expertise to an underground economy where even inexperienced and ambitious attackers can execute complex attacks quickly and at scale.
These turnkey services span a wide range of modular tools, from phishing kits to stealers to ransomware, effectively contributing to the professionalization of cybercrime and emerging as catalysts for advanced attacks.
RedVDS was advertised as an online subscription service that provided cheap, disposable virtual computers running unlicensed software such as Windows to enable criminals to operate anonymously, send mass phishing emails, host fraudulent infrastructure, conduct business email compromise (BEC) schemes, perform account takeovers, and facilitate financial fraud, Microsoft said.
Specifically, it served as a hub for purchasing unlicensed, inexpensive Windows-based Remote Desktop Protocol (RDP) servers that administrators had full control over through a feature-rich user interface and had no usage restrictions. In addition to offering servers in Canada, the United States, France, the Netherlands, Germany, Singapore, and the United Kingdom, RedVDS also provided a reseller panel to create sub-users and grant them access to manage the servers without sharing access to the main site.
The website’s FAQ section states that users can utilize the Telegram bot to manage their servers from within the Telegram app instead of logging into the site. Notably, the service did not maintain activity logs, making it an attractive option for abuse.
RedVDS was promoted as a way to “increase productivity and work from home comfortably and easily,” according to a snapshot captured in the Internet Archive. Administrators said on the now seized website that the service was first established in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019.
“RedVDS is frequently combined with generative AI tools that help identify high-value targets more quickly and generate more realistic multimedia message email threads that mimic legitimate communications,” the company said, adding that “attackers have been observed to further enhance their deception by leveraging face-swapping, video manipulation, and voice-cloning AI tools to impersonate individuals and deceive victims.”
RedVDS Tools Infrastructure
Since September 2025, RedVDS-powered attacks have reportedly compromised or compromised more than 191,000 organizations around the world, highlighting the far-reaching impact of the service.
The Windows maker, which tracks the developers and maintainers of RedVDS under the nickname Storm-2470, announced that it had identified a “global network of disparate cybercriminals” using infrastructure provided by criminal markets to attack multiple sectors, including law, construction, manufacturing, real estate, healthcare, and education in the United States, Canada, United Kingdom, France, Germany, Australia, and other countries with significant targeting of banking infrastructure.
RedVDS attack chain
Notable threat actors include Storm-2227, Storm-1575, Storm-1747, and phishing actors who used the RaccoonO365 phishing kit before it was suspended in September 2025. This infrastructure was specifically used to host a toolkit consisting of both malicious and dual-use software.
Bulk spam/phishing email tools such as SuperMailer, UltraMailer, BlueMail, SquadMailer, and Email Sorter Pro/Ultimate email address harvesters such as Sky Email Extractor that collect or verify bulk email addresses Privacy and OPSEC tools such as Waterfox, Avast Secure Browser, Norton Private Browser, NordVPN, and ExpressVPN Remote access tools such as AnyDesk
An attacker allegedly used a provisioned host to programmatically (and unsuccessfully) send emails via Microsoft Power Automate (Flow) using Excel. Meanwhile, other RedVDS users leveraged ChatGPT or other OpenAI tools to create phishing lures, gather information about organizational workflows to commit fraud, and distribute phishing messages aimed at harvesting credentials and taking control of victims’ accounts.
RedVDS products
The ultimate goal of these attacks is to perform a convincing BEC scam. This allows threat actors to infiltrate legitimate email conversations with suppliers and issue fraudulent invoices to trick targets into transferring funds to mule accounts under their control.
Interestingly, its terms of service prohibited customers from using RedVDS to send phishing emails, distribute malware, transmit illegal content, scan systems for security vulnerabilities, or participate in denial of service (DoS) attacks. This suggests that the attacker is trying to limit or eliminate liability.
Microsoft further said, “We have seen attacks that show thousands of stolen credentials, stolen invoices from targeted organizations, mass emailers, phishing kits, and multiple Windows hosts all created from the same base Windows installation.”
“Additional investigation revealed that most of the hosts were created using a single computer ID, meaning the same Windows Eval 2022 license was used to create these hosts. By creating images using stolen licenses, Storm-2470 provided services at a significantly lower cost, making it attractive for attackers to purchase or acquire RedVDS services.”
A virtual Windows cloud server was generated from a single Windows Server 2022 image through RDP. All instances identified were using the same computer name WIN-BUNS25TD77J. Storm-2470 is credited with creating a single Windows virtual machine (VM) and repeatedly cloning it without changing the system identity.
Cloned Windows instances are created on demand using Quick Emulator (QEMU) virtualization technology combined with the VirtIO driver, with an automated process that copies the master virtual machine (VM) image to a new host each time a server is ordered in exchange for a cryptocurrency payment. This strategy allowed new RDP hosts to be brought up within minutes, allowing cybercriminals to expand their operations.
“Threat actors used RedVDS because it provided a permissive, low-cost, and resilient environment in which they could initiate and conceal multiple stages of their operations,” Microsoft said. “Once provisioned, these cloned Windows hosts provide attackers with a ready-made platform to probe targets, stage phishing infrastructure, steal credentials, take over mailboxes, and perform impersonation-based financial fraud with minimal friction.
Source link
