Skip To Main Content

Toggle Close Container

Mobile Search

Mobile Main Nav

District Home Link

Mobile Utility

Header Holder

Header Top

District Home Link

Toggle Schools Container

Utility Nav - Desktop

Translate

Desktop Search

Header Bottom

Toggle Menu Container

District Canvas Container

Close District Canvas

District Navs Tabs - Desktop

District Navs Accordions - Mobile

Canvas Icons Nav

Breadcrumb

Legitimate scripts usually reside in protected admin folders. If you find rdp.txt in %TEMP% or C:\Users\Public\ , it is likely malicious.

Generally, RDP.txt is used as a flat-file database to store lists of IP addresses or hostnames for Remote Desktop Protocol (RDP) management. However, its purpose changes drastically depending on who created it:

Use EDR (Endpoint Detection and Response) tools to alert you whenever a process creates a .txt file containing IP addresses or login strings.

In many documented attacks, a RDP.txt file found on a desktop or in a staging folder is a "smoking gun" indicating that:

Criminal groups, including the notorious collective, utilize automated scanners to find open RDP ports. These scanners often output their "hits"—the IP addresses of vulnerable servers—into text files for later exploitation. Akamai Blog

The Danger of RDP.txt : Is Your Network Secretly Logged? In the world of cybersecurity, the most dangerous files aren't always complex malware; sometimes, they are simple text files. If you've recently spotted a file named RDP.txt on a server or within a suspicious directory, it’s time to pay attention. This seemingly harmless filename is frequently associated with both legitimate administrative scripts and, more alarmingly, malicious credential theft. What exactly is RDP.txt ?