Threat actors are exploiting legitimate Remote Monitoring and Management (RMM) tools as part of a sophisticated campaign distributing weaponized PDF files to unsuspecting users.
AhnLab Security Intelligence Center (ASEC) recently uncovered multiple attack chains utilizing Syncro, SuperOps, NinjaOne, and ScreenConnect tools commonly used by managed service providers and IT teams for legitimate system administration.
The discovery reveals that attackers have maintained this operational infrastructure since at least October 2025.
The attack campaign initiates through deceptive PDF documents distributed via email phishing. Files bearing innocent-sounding names such as “Invoice_Details.PDF,” “Defective_Product_Order.pdf,” and “Payment_error.pdf” serve as entry points into the infection chain.
When users open these documents, they encounter either a high-resolution image obscuring the actual PDF content or an error message stating “Failed to load PDF document,” prompting them to click embedded links.
The attack leverages sophisticated social engineering tactics. Some variants direct users to a fake Google Drive page masquerading as a video file named “Video_recorded_on_iPhone17.mp4.”
In contrast, others redirect to counterfeit Adobe download pages at “adobe-download-pdf[.]com.” These disguise mechanisms effectively manipulate users into believing they’re downloading legitimate media files or PDF readers rather than RMM installers.
Rather than distributing traditional malware, threat actors have adopted a living-off-the-land approach by weaponizing legitimate RMM solutions.
This strategy proves particularly effective because RMM tools are designed to bypass security controls and operate transparently within enterprise environments.
Unlike conventional backdoors or Remote Access Trojans, these tools avoid detection by security products that rely on malware signatures and behavioral analysis.
Syncro RMM serves as a primary vector in this campaign. ASEC identified malware samples digitally signed with valid certificates, distributed intensively throughout the second half of 2025.
Analysis of installation parameters revealed consistent “key” and “customer ID” values across multiple samples, suggesting coordinated campaign activity by the same threat actor group.
Similar exploitation patterns affect ScreenConnect, used by major ransomware operators including ALPHV/BlackCat and Hive ransomware gangs, alongside SuperOps and NinjaOne platforms.
Technical Infrastructure
The attack infrastructure includes not only RMM installers but also secondary downloaders developed with NSIS scripting.
These downloaders contain embedded commands to fetch additional payloads, with infrastructure previously linked to NinjaOne distribution.
The malicious scripts contain NinjaOne-specific keywords, indicating that attackers maintained persistent control over multiple distribution channels.
The certificate analysis reveals coordinated activity spanning from October 2025 through the present, with identical signing credentials used across diverse malware samples targeting multiple RMM platforms.
This suggests either a single threat actor group possessing deep knowledge of enterprise tool ecosystems or a coordinated campaign by various actors sharing infrastructure.
Organizations must implement multi-layered defenses against this threat vector. Email filtering should identify and quarantine suspicious PDF attachments, particularly those with financial, order, or payment-related naming conventions.
Security awareness training should emphasize the risks of opening attachments from unknown senders and verifying sender legitimacy before interaction.
Technical controls should include keeping operating systems and security software fully updated, turning off unnecessary remote access tools, and monitoring RMM installation attempts.
Network-level controls monitoring for suspicious RMM tool downloads and installations provide additional detection layers.
Organizations should also implement application whitelisting to prevent unauthorized RMM installations and require users to validate downloads through official vendor channels only.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.