A sophisticated phishing operation in which attackers deploy remote monitoring and management (RMM) tools—ITarian (formerly Comodo), PDQ Connect, SimpleHelp, and Atera—to gain persistent remote access to compromised systems.
By disguising malicious installers as legitimate browser updates, meeting or party invitations, and government forms, adversaries exploit users’ trust in commonly used IT administration software.
Security researchers at Red Canary Intelligence and Zscaler threat hunters have uncovered RMM-based phishing by first establishing a strict allowlist of sanctioned remote administration tools and baseline behaviors for each.
Attackers have centered this campaign around four distinct social engineering lures. The fake browser update ploy redirects users from sports or medical-care themed websites to an overlay prompting a “Chrome update.”
Beneath the full-screen iframe lies injected JavaScript that fingerprint browsers, harvest geolocation data via language settings, and funnel interaction logs to command-and-control (C2) domains such as panelswp[.]com and dragonshop[.]cloud.
Once victims click the update button, they instead download the ITarian MSI installer signed by Comodo, which launches a malicious DicomPortable.exe and sideloads rogue Qt5Core.dll or sciter32.dll libraries to install HijackLoader or DeerStealer infostealer.
Meeting invitations mimic Microsoft Teams or Zoom updates to drop PDQ Connect or Atera installers. Those payloads masquerade as legitimate meeting software with filenames like MicrosoftTeams.msi.
Attackers exploit Cloudflare R2 object storage—using URLs in the form pub-<32-character>.r2.dev—to host Atera installers, a classic living-off-trusted-services tactic.
Upon execution, the AteraAgent process registers a fake IntegratorLogin parameter with adversary-controlled email accounts, exposing unauthorized tenants to remote commands.
Party e-invite lures distribute MSI files labeled “Party Card Viewer” or “E-Invite,” deploying PDQ Connect or Atera via phishing emails.
SimpleHelp emerges through an einvite.exe payload from go-envitelabel[.]com and promptly installs ConnectWise’s ScreenConnect signed with a revoked certificate.
Government-form-themed pages impersonating IRS W-9s or Social Security statements deliver PDQ Connect or SimpleHelp installers, some of which chain to additional RMM tools through secondary executables.
Phishing domains include onlinebazar[.]us and statementsonlineviewer[.]com, often hosting fake IRS dashboards.
Establishing Persistence
Adversaries frequently deploy two RMM tools in rapid succession to ensure redundant access paths. The first tool deploys core remote access functionality; the second often executes credential theft or reconnaissance payloads.
Persistence is achieved by modifying registry Run keys to auto-launch renamed RMM binaries like RmmService.exe or DicomPortable.exe from non-standard directories.
Threat hunters note use of process analytics to identify malicious RMM use, for example, by flagging processes named pdq-connect-agent.exe or detecting AteraAgent.exe invocations containing “IntegratorLogin” strings in the command line.
The stealth of these operations lies in their mimicry of legitimate IT operations. Endpoint activity appears as routine administrative tasks, while network connections to C2 domains blend with legitimate service traffic.
Zscaler has also observed Telegram Bot API channels abused for exfiltration and C2 coordination, underscoring the creative misuse of trusted platforms.
Mitigations
Monitoring for newly installed RMM binaries in unexpected directories, unexpected command-line parameters, or MSI downloads from unrecognized domains can surface malicious activity early. Browser isolation and expanded network egress filtering—particularly for file downloads from Cloudflare R2 and other LOTS services—further curb exposure.
The C2 domains included panelswp[.]com, dragonshop[.]cloud, and abounour[.]com. Structurally they were almost identical and featured a WP-Panel login panel.
Investing in robust endpoint detection and response (EDR) sensors enhances visibility into process creations, file writes, and registry modifications indicative of RMM sideloading.
Combined with DNS and proxy logs to flag communications with anomalous or newly registered domains—especially cheap TLDs like .pro, .shop, or .top—security teams can quarantine compromised hosts before lateral spread or ransomware deployment.
By understanding these phishing techniques and embedding precise detection analytics into security operations, defenders can turn the tables on adversaries who weaponize RMM tools for stealthy, persistent access.
Continuous threat hunting, validated allowlists, and layered network controls remain critical to disrupting these campaigns before remote administration frameworks become ransomware or data exfiltration gateways.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
