NLBrute RDP Brute-forcing Tool and Controlled Botnet for Sale

A post on a cybercrime forum is advertising NLBrute RDP brute-forcing tool that runs on NLBrute 1.2 and a controlled botnet
Updated on
April 19, 2023
Published on
August 10, 2021
Subscribe to the latest industry news, threats and resources.
Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising NLBrute RDP brute-forcing tool that runs on NLBrute 1.2 and a controlled botnet.
  • The NLBrute tool, as mentioned above, is designed to distribute the process of brute-forcing RDP credentials to a controlled botnet of targeted IP addresses that have open RDP ports from across different countries. 
  • CloudSEK's Threat Intelligence Research team is in the process of validating the post.
[caption id="attachment_17650" align="aligncenter" width="589"]Threat actor’s post on the cybercrime forum Threat actor’s post on the cybercrime forum[/caption]


The NLBrute RDP brute-forcing tool is used to distribute the workload of finding more valid credentials of RDP accesses. Threat actors use this tool to make more efficient and faster searches on multiple devices using bots instead of running the NLBrute tool on one device. The alleged capabilities of this tool is based on NLBrute v1.2. The tool is used to brute-force RDP credentials, which requires three files to run:
  • A list of IP addresses that have open RDP port 3389
  • A wordlist of passwords
  • A list of username
NLBrute 1.2 [caption id="attachment_17652" align="aligncenter" width="261"]NLBrute 1.2 NLBrute 1.2[/caption] The threat actor has also shared more screenshots that illustrate how the tool operates. The screenshots have been added to the report in the Appendix section.

Impact & Mitigation

Impact Mitigation
This tool enables threat actors to find potential open RDP ports that allow them to compromise more devices by brute-forcing RDP credentials. Valid RDP credentials can allow actors to:
  • Gain RDP access to the compromised device.
  • Escalate privileges.
  • Lateral movement within the network environment.
  • Deploy different types of malwares including, but not limited to, ransomware.
  • Use the compromised device as a bot to infect other machines.
  • Use strong passwords.
  • Enable multi-factor authentication for all online accounts.
  • Don’t share OTPs with third-parties.
  • Review online accounts and financial statements periodically.
  • Regularly update all the softwares and apps to the latest patches.
  • Close unused ports of RDP.
  • Use up-to-date end-point prevention and detection tools.


[caption id="attachment_17653" align="aligncenter" width="571"]List of controlled bots List of controlled bots[/caption] [caption id="attachment_17654" align="aligncenter" width="561"]Running NLBrute tool on the selected bots Running NLBrute tool on the selected bots[/caption] [caption id="attachment_17655" align="aligncenter" width="558"]Controlling the file structure for NLBrute for each client task Controlling the file structure for NLBrute for each client task[/caption] [caption id="attachment_17656" align="aligncenter" width="560"]Selecting and running the brute-force task Selecting and running the brute-force task[/caption] [caption id="attachment_17657" align="aligncenter" width="558"]Showing the result of brute-force credentials Showing the result of brute-force credentials[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations