Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Microsoft Takes Down RedVDS: A Sophisticated Cybercrime Infrastructure Disrupted



Microsoft has taken down RedVDS, a sophisticated cybercrime infrastructure used for online fraud. The tech giant's coordinated legal action disrupted the illicit service, which provided access to disposable virtual computers that made fraud cheap, scalable, and difficult to trace. Since its disruption, threat actors have lost access to their malicious infrastructure and are no longer able to carry out complex attacks quickly and at scale. RedVDS was a prime example of how crimeware-as-a-service (CaaS) offerings have become increasingly lucrative, transforming cybercrime into an underground economy where even inexperienced threat actors can carry out sophisticated attacks.

  • RedVDS, a cybercrime infrastructure, was disrupted by Microsoft's coordinated legal action.
  • The service provided disposable virtual computers for online fraud, with losses estimated at $40 million in the US and over 191,000 organizations compromised worldwide.
  • Crimeware-as-a-service (CaaS) offerings have become increasingly lucrative, allowing inexperienced threat actors to carry out complex attacks quickly and at scale.
  • RedVDS was a turnkey service that offered phishing kits, stealers, ransomware, and other malicious tools, making it an attractive choice for cybercriminals.
  • The service provided a low-cost, resilient environment for cybercriminals to launch and conceal multiple stages of their operation.
  • Threat actors used RedVDS to send phishing emails, host scam infrastructure, conduct BEC schemes, and facilitate financial fraud.
  • The service was launched in 2019 and operated on Discord, ICQ, and Telegram, with a lack of activity logs making it an attractive choice for illicit use.



    • RedVDS, a notorious cybercrime infrastructure used for online fraud, has been disrupted by Microsoft's coordinated legal action. The tech giant, in collaboration with law enforcement authorities, has successfully confiscated the malicious infrastructure and taken the illicit service offline.

    For as little as $24 a month, RedVDS provided criminals with access to disposable virtual computers that made fraud cheap, scalable, and difficult to trace. Since March 2025, RedVDS-enabled activity has driven roughly $40 million in reported fraud losses in the United States alone. The impact of this service was not limited to the US; it is estimated that more than 191,000 organizations worldwide have been compromised or fraudulent access gained.

    Crimeware-as-a-service (CaaS) offerings have become increasingly lucrative, transforming cybercrime from an exclusive domain requiring technical expertise into an underground economy where even inexperienced and aspiring threat actors can carry out complex attacks quickly and at scale. These turnkey services span a wide spectrum of modular tools, ranging from phishing kits to stealers to ransomware.

    RedVDS was advertised as an online subscription service that provides cheap and disposable virtual computers running unlicensed software, including Windows. This allowed criminals to operate anonymously and send high-volume phishing emails, host scam infrastructure, pull off business email compromise (BEC) schemes, conduct account takeovers, and facilitate financial fraud. The service offered a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site.

    The website noted that users could leverage its Telegram bot to manage their servers from within the Telegram app instead of logging in to the site. However, this lack of activity logs made it an attractive choice for illicit use. RedVDS was operated on Discord, ICQ, and Telegram, with the website launched in 2019.

    Microsoft identified a global network of disparate cybercriminals leveraging the infrastructure provided by the criminal marketplace to strike multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education. The virtual Windows cloud servers were generated from a single Windows Server 2022 image, through RDP. All identified instances used the same computer name, WIN-BUNS25TD77J.

    The cloned Windows instances are created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. This strategy made it possible to spin up fresh RDP hosts within minutes, allowing cybercriminals to scale their operations. Threat actors used RedVDS because it provided a highly permissive, low-cost, resilient environment where they could launch and conceal multiple stages of their operation.

    Microsoft said that threat actors used the provisioned hosts to programmatically send emails via Microsoft Power Automate (Flow) using Excel, while other users leveraged ChatGPT or other OpenAI tools to craft phishing lures, gather intelligence about organizational workflows to conduct fraud, and distribute phishing messages designed to harvest credentials and take control of victims' accounts.

    The end goal of these attacks was to mount highly convincing BEC scams, permitting the threat actors to inject themselves into legitimate email conversations with suppliers and issue fraudulent invoices to trick targets into transferring funds to a mule account under their control. The service did not maintain activity logs, making it an attractive choice for illicit use.

    Despite the Terms of Service prohibiting customers from using RedVDS for sending phishing emails, distributing malware, transferring illegal content, scanning systems for security vulnerabilities, or engaging in denial-of-service (DoS) attacks, threat actors continued to use the service. Microsoft identified that most of the hosts were created using a single computer ID, signifying that the same Windows Eval 2022 license was used to create these hosts.

    By using the stolen license to make images, Storm-2470 provided its services at a substantially lower cost, making it attractive for threat actors to purchase or acquire RedVDS services. The virtual Windows cloud servers were generated from a single Windows Server 2022 image, through RDP. All identified instances used the same computer name, WIN-BUNS25TD77J.

    The cloned Windows instances are created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers, with an automated process copying the master virtual machine (VM) image onto a new host every time a server is ordered in exchange for a cryptocurrency payment. This strategy made it possible to spin up fresh RDP hosts within minutes, allowing cybercriminals to scale their operations.

    Microsoft said that threat actors used RedVDS because it provided a highly permissive, low-cost, resilient environment where they could launch and conceal multiple stages of their operation. Once provisioned, these cloned Windows hosts gave actors a ready-made platform to research targets, stage phishing infrastructure, steal credentials, hijack mailboxes, and execute impersonation-based financial fraud with minimal friction.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Microsoft-Takes-Down-RedVDS-A-Sophisticated-Cybercrime-Infrastructure-Disrupted-ehn.shtml

  • https://thehackernews.com/2026/01/microsoft-legal-action-disrupts-redvds.html

  • https://blogs.microsoft.com/on-the-issues/2026/01/14/microsoft-disrupts-cybercrime/

  • https://www.theglobeandmail.com/business/article-microsoft-seizes-domains-of-online-service-allegedly-fuelling/


    • Published: Thu Jan 15 03:53:35 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us