A single virtual server provider enabled cybercriminals to steal roughly $40 million from U.S. victims alone since March 2025, according to a Microsoft Threat Intelligence investigation that exposed how one operator's cloned Windows infrastructure became the backbone of worldwide fraud operations.
RedVDS, tracked by Microsoft as Storm-2470, operated a deceptively simple scheme: creating thousands of identical Windows Server 2022 instances from a single stolen license, then renting them to cybercriminals for cryptocurrency.
Every server shared the same computer name—WIN-BUNS25TD77J—leaving a digital fingerprint that ultimately helped researchers connect disparate attacks across continents.
The Infrastructure Behind the Chaos
What made RedVDS particularly dangerous wasn't sophisticated technology, but accessibility. For nominal Bitcoin payments, criminals received fully functional Windows servers with administrator access and no usage restrictions. The operator used QEMU virtualization to rapidly clone servers on demand, spinning up fresh hosts within minutes across hosting providers in six countries.
 |
| RedVDS tool infrastructure | Image- Microsoft |
Microsoft's investigation revealed that cybercriminals turned these permissive servers into fully functional attack platforms. Researchers found mass-mailing tools like SuperMailer and SquadMailer, email-harvesting software, VPN clients for anonymity, and even ChatGPT integration to craft convincing phishing lures in multiple languages.
The attack chain was devastatingly effective: criminals researched targets, deployed phishing infrastructure, stole credentials, hijacked email threads, and executed payment fraud—all from disposable RedVDS servers. Microsoft identified over 3,700 homoglyph domains (lookalike websites) hosted on 7,300 RedVDS-linked IP addresses within just 30 days.
 |
| RedVDS attack chain | Image- Microsoft |
Multiple threat actor groups, including Storm-0259, Storm-2227, and Storm-1575, leveraged the infrastructure to target legal, healthcare, manufacturing, and education sectors across North America, Europe, and Australia.
Protection Measures
Microsoft recommends organizations implement multi-factor authentication using phishing-resistant methods, enable Microsoft Defender for Office 365 with internal Safe Links policies, and conduct regular employee training on identifying spoofed domains and suspicious payment requests. The company's Digital Crimes Unit recently disrupted RedVDS operations in coordination with international law enforcement.
Security teams can detect RedVDS activity by monitoring for the distinctive WIN-BUNS25TD77J hostname in RDP certificates and system telemetry—the unchanging signature that exposed this massive criminal ecosystem.