Security researchers have discovered an ongoing botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet. The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image. Each infected machine receives its first task to scan and report back a list of at least 80 publicly accessible new servers that can be brute-forced. Attackers then assign each infected machine with a unique set of username and password combination as its second task, forcing them to attempt it against the list of RDP targets.
Source: https://thehackernews.com/2019/06/windows-rdp-brute-force.html