AhnLab explains how attackers use Windows Remote Desktop Protocol for initial access, lateral movement, and persistence after obtaining credentials or enabling remote desktop services. The report cites ransomware and APT cases where attackers used RDP directly, opened firewall rules, enabled the service with scripts, or tunneled RDP through tools such as Plink after compromising servers. It also describes RDP Wrapper abuse, including Kimsuky deployments on AppleSeed-infected systems, and cases where attackers create new local accounts for persistent access. The report frames RDP monitoring, credential hygiene, and remote-access hardening as core controls against enterprise compromise.