Security News > 2023 > June > New RDStealer malware steals from drives shared over Remote Desktop
A cyberespionage and hacking campaign tracked as 'RedClouds' uses the custom 'RDStealer' malware to automatically steal data from drives shared through Remote Desktop connections.
The Remote Desktop Protocol is a proprietary Microsoft protocol that allows users to remotely connect to Windows desktops and use them as if they were in front of the computer.
The Remote Desktop Protocol includes a feature called 'device redirection,' which allows you to connect your local drives, printers, the Windows clipboard, ports, and other devices with the remote host, which are then accessible in your remote desktop sessions.
If the local C: drive was shared via device redirection, it would be accessible as the 'tsclientc' share in the RDP session, which can then be used to access locally stored files from the remote Windows desktop.
The threat actors infect remote desktop servers with a custom RDStealer malware that takes advantage of this device redirection feature.
Upon activation, RDStealer enters an infinite loop of calling the "DiskMounted" function, which checks for the availability of the C, D, E, F, G, or H drives on the tsclient network shares.
News URL
Related news
- Microsoft replacing Remote Desktop app with Windows App in May (source)
- Microsoft: Recent Windows updates cause Remote Desktop issues (source)
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)
- Microsoft fixes Remote Desktop issues caused by Windows updates (source)
- Microsoft fixes Remote Desktop freezes caused by Windows updates (source)
- Oh, cool. Microsoft melts bug that froze Server 2025 Remote Desktop sessions (source)