Threat Actors Weaponizing RMM Tools to Gain System Control and Exfiltrate Data

Adversaries are using Remote Monitoring and Management (RMM) tools more frequently as dual-purpose weapons for initial access and persistence in the constantly changing world of cyber threats.

These legitimate software solutions, typically employed by IT professionals for system administration, are being co-opted by threat actors to facilitate unauthorized remote control, data exfiltration, ransomware deployment, and proxy-based attacks.

A recent campaign observed in the wild exemplifies this trend, where attackers deployed two RMM agents Atera and Splashtop Streamer within a single malicious payload, ensuring redundancy and resilience against detection.

This approach not only amplifies the attacker’s operational flexibility but also complicates incident response, as the removal of one RMM instance leaves the other intact for continued exploitation.

The attack chain begins with a compromised Microsoft 365 email account, exploiting trust in familiar platforms to distribute phishing lures disguised as innocuous file shares.

By impersonating OneDrive notifications, complete with branded icons and privacy footers, the email entices recipients to click a hyperlink ostensibly leading to a .docx file hosted on cdn.discordapp[.]com, a free content delivery network frequently abused for malware dissemination due to its high availability and low scrutiny.

Evolving Tactics in Malware Delivery

Upon interaction, the victim downloads a file that subtly manipulates extensions, appending .msi to the expected .docx filename, thereby evading casual inspection while initiating an attended installation of the Atera Agent.

This visible process is strategically paired with silent background installations of Splashtop Streamer and .NET Runtime 8, both sourced from legitimate domains to masquerade as benign network activity.

The attended installation requires user interaction, providing a veneer of legitimacy, while the unattended components establish persistent backdoors.

Once operational, these RMM tools grant attackers comprehensive system access, enabling keystroke logging, file transfers, and command execution without immediate indicators of compromise.

In this instance, the attack was intercepted prior to full payload deployment, leaving the ultimate intent—whether ransomware encryption, sensitive data theft, or lateral movement within a network—speculative.

However, the use of undisclosed recipient lists in the phishing email suggests a broad, opportunistic targeting strategy, potentially aimed at enterprises with lax email security postures.

This tactic aligns with MITRE ATT&CK frameworks, specifically T1566 (Phishing) and T1219 (Remote Access Software), highlighting how adversaries blend social engineering with technical deception to bypass traditional defenses like email gateways and endpoint protection.

Advanced Detection

Detection of such sophisticated attacks relies on behavioral analytics and anomaly detection rather than signature-based methods, as the payloads leverage legitimate tools and hosts.

Key signals include file extension tampering, where the lured .docx resolves to an executable .msi, triggering automated execution upon download.

Impersonation of trusted services like OneDrive further raises red flags, as does the reliance on free file-hosting platforms for payload distribution, a technique observed in prior campaigns involving link-based malware like Agent Tesla.

Undisclosed recipient address deviates from standard file-sharing protocols, indicating mass distribution intent.

According to the report, AI-driven engines can correlate these indicators in real-time, preventing installation by flagging discrepancies in email metadata, attachment metadata, and network flows.

To mitigate, organizations should enforce multi-factor authentication on email accounts, implement strict URL filtering, and monitor for anomalous RMM installations via endpoint detection and response (EDR) tools.

Regular audits of installed software and network traffic for unexpected remote access sessions are crucial, as is user education on verifying file extensions and sender authenticity.

By understanding these layered tactics, defenders can disrupt the attack lifecycle early, reducing the risk of data breaches or system lockdowns.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free