Hackers Leveraging RMM Tools To Maintain Persistence To Infiltrate And Move Through Networks

Cybersecurity experts have identified a persistent trend of threat actors exploiting legitimate remote monitoring and management (RMM) software to infiltrate networks, maintain access, and facilitate lateral movement.

These legitimate tools, which are typically used by IT administrators for system maintenance and support, provide attackers with powerful capabilities that often evade traditional security measures due to their trusted status within enterprise environments.

Common RMM applications being leveraged in these attacks include AnyDesk, TeamViewer, ScreenConnect, Quick Assist, and Splashtop. These tools are widely deployed across organizations for legitimate purposes such as system updates, asset management, software deployment, and endpoint troubleshooting, making malicious usage difficult to detect.

Intel471 analysts identified that attackers frequently gain initial access to RMM software by compromising user credentials through social engineering tactics or by exploiting vulnerabilities in outdated software.

In some cases, attackers take proactive steps to preserve illicit access by creating additional accounts within the RMM platform to maintain persistence even if compromised credentials are reset.

A particularly concerning tactic involves threat actors posing as IT support personnel.

In one documented case, attackers flooded an employee’s inbox with spam, then called the victim while impersonating internal IT support, offering to install “antispam software.”

The unsuspecting employee was persuaded to install remote access software like AnyDesk, providing attackers with direct system access.

The notorious Black Basta ransomware group, which emerged in April 2022 and became the third most impactful ransomware operation that year, has been particularly adept at leveraging this technique.

According to leaked chat messages from February 2025, the Russian-speaking cybercrime group has regularly used RMM tools as a key component of their attack chain.

Threat Hunting for Malicious RMM Usage

Security teams can detect suspicious RMM deployments by identifying executions from abnormal locations in the file system.

The query logic focuses on process names containing “AnyDesk.exe” while excluding common legitimate paths such as AppData, Downloads, and Program Files directories.

When executed against Sysmon logs, this query can reveal instances where attackers have hidden RMM tools in unusual locations like the Public Music directory.

Intel471 recommends organizations implement strict application control policies and monitor network connections from RMM tools to identify potentially malicious command and control traffic.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free