Key Findings

• Microsoft, in collaboration with law enforcement authorities, has taken coordinated legal action to disrupt the cybercrime subscription service called RedVDS, which has allegedly fueled millions in fraud losses.

• RedVDS provided criminals with access to disposable virtual computers running unlicensed software, enabling them to operate anonymously and carry out various illicit activities, including phishing, business email compromise (BEC), and financial fraud.

• Since September 2025, attacks fueled by RedVDS have led to the compromise or fraudulent access of more than 191,000 organizations worldwide, underscoring the prolific reach of the service.

• The infrastructure was used to host a toolkit comprising both malicious and dual-use software, including email tools, address harvesters, and privacy/OPSEC tools, enabling cybercriminals to conduct their operations efficiently.

Background

RedVDS was advertised as an online subscription service that provided cheap and disposable virtual computers running unlicensed software, including Windows, to empower and enable criminals to operate anonymously and conduct various types of fraud. The service, first founded in 2017, was launched in 2019 and operated on Discord, ICQ, and Telegram.

RedVDS Attack Chain

• RedVDS was frequently paired with generative AI tools that helped identify high-value targets faster and generate more realistic, multimedia message email threads to mimic legitimate correspondences.

• Attackers further augmented their deception by leveraging face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals and deceive victims.

• The infrastructure was specifically used to host a toolkit comprising both malicious and dual-use software, including mass spam/phishing email tools, email address harvesters, and privacy/OPSEC tools.

• One threat actor is said to have used the provisioned hosts to programmatically (and unsuccessfully) send emails via Microsoft Power Automate (Flow) using Excel, while other RedVDS users leveraged ChatGPT or other OpenAI tools to craft phishing lures, gather intelligence about organizational workflows to conduct fraud, and distribute phishing campaigns.

Cybercrime Groups Leveraging RedVDS

• Microsoft is tracking the developer and maintainer of RedVDS under the moniker Storm-2470.

• At least five additional cybercrime groups and cybercriminals who used the Racoon0365 phishing service prior to its takedown in October were also using RedVDS infrastructure.

• These threat actors, including Storm-2227, Storm-1575, and Storm-1747, targeted multiple sectors, such as legal, construction, manufacturing, real estate, healthcare, and education, in the U.S., Canada, U.K., France, Germany, Australia, and countries with substantial banking infrastructure.

Disruption and Seizure of RedVDS Infrastructure

• Microsoft, in collaboration with Europol and authorities in Germany, was able to seize the infrastructure used to run RedVDS and take the illicit service offline.

• This coordinated action has disrupted RedVDS's operations, including the seizure of two domains that hosted the RedVDS service.

• Victims, including Alabama-based H2 Pharma and Florida-based Gatehouse Dock Condominium Association, are joining Microsoft as co-plaintiffs in the civil action against the cybercrime service.

Sources

• https://thehackernews.com/2026/01/microsoft-legal-action-disrupts-redvds.html

• https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/