By 2020, security experts were openly acknowledging that tools like "RDP Brute (Coded by z668)" had become commodity items in a thriving cybercrime service economy. John Fokker, head of cyber investigations at McAfee Advanced Threat Research, noted that these tools were part of a broader "adjacent services that form that whole chain to commit cybercrime." Liv Rowley, a threat intelligence analyst at Blueliv, added that the barrier to entry had dropped dramatically: "You can buy some of the top-named information stealers right now for $85... so it's definitely becoming a more accessible market."
Threat actors use the z668 tool and its successors to conduct massive, automated attacks on public-facing cloud infrastructure.
The tool gained notoriety in the mid-2010s when cybersecurity firms linked its output logs directly to initial access campaigns for the family. In those campaigns, threat actors deployed the z668 utility to locate vulnerable machines, break the administrator credentials, and establish a beachhead. rdp brute z668 new
: Using scanners like Masscan , they identify active IP addresses with port 3389 (the default RDP port) open to the internet.
While the original z668 tool may have faded from prominence, the techniques it popularized have been adopted, refined, and scaled by ransomware gangs, nation-state actors, and hacktivist groups. The underground economy has evolved into a sophisticated marketplace where access to RDP brute-force tools is cheap and widely available. By 2020, security experts were openly acknowledging that
It has been observed in the wild with command-line arguments like /install and /uninstall to manage persistent services (e.g., FileService ) on compromised machines.
Track Windows Security Event Logs for Event ID 4625 (An account failed to log on) and Event ID 4624 (Successful logon), paying close attention to Logon Type 10 (RDP). High volumes of Event ID 4625 from single external IPs signal an active brute-force campaign. 4. Implement IP Whitelisting and Rate Limiting If RDP must be exposed to the internet for legacy reasons: The tool gained notoriety in the mid-2010s when
Testing customized wordlists containing common passwords (e.g., Password123 , Admin2025! , Welcome1 ).
The emergence of updated brute-force variants like "RDP Brute Z668 New" underscores the reality that threat actors continuously refine their automated toolkits. However, these tools still rely entirely on basic configuration flaws: exposed ports and weak, single-factor credentials. By implementing strict access controls, enforcing MFA, and removing RDP endpoints from the public eye, organizations can render these automated scanning engines completely ineffective.
Configure Group Policy Objects (GPO) to temporarily lock accounts after a consecutive number of failed login attempts (e.g., 5 attempts within a 15-minute window). This severely limits the speed and viability of brute-force engines. Modify Default Configurations