Syncro
Syncro is a legitimate remote monitoring and management (RMM) tool that has been repeatedly abused by threat actors as a remote-access payload rather than a bespoke malware family. The provided content describes Syncro being delivered through phishing and fake software/service pages, including Microsoft Teams-themed pages and PDF lures that redirect victims to Google Drive links. In one Storm-2949 intrusion, Syncro/Servably installers were deployed alongside ConnectWise ScreenConnect after Microsoft Entra ID account takeover to establish persistence on compromised endpoints. In that case, two Syncro/Servably MSI wrappers dropped a byte-identical 5.6 MB .NET payload named Kabuto.Installer.Installer.InstallSyncro (SHA-256 e896a9d376bf451092291934cbe06b1cdddb2bc2ecf7f6b6e9af2c6d0d32a816), and MSI properties exposed operator-linked tenant identifiers including API_KEY 7EUjsWCCy0h2yShB_NdJ7w, CUSTOMER_ID 1763306, FOLDER_ID 4737689, ProductCode {B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}, and UpgradeCode {BBEC0057-5B07-4E45-9CB3-EA45FC87B23B}. The content states these tenant identifiers are stronger attribution signals than file hashes because the binaries are legitimate vendor-signed software. Syncro is also referenced as one of several RMM tools tested or used by MuddyWater, and ASEC reports it has been abused by threat actors including Chaos, Royal, and MuddyWater. Targeting described across the sources includes enterprise and cloud environments, MSP/IT support contexts, and sectors affected by broader campaigns such as airlines, telecommunications, IT, pharmaceuticals, automotive manufacturing, logistics, travel/tourism, employment/immigration agencies, and small businesses. Detection guidance in the content emphasizes behavioral and infrastructure-based hunting over static malware signatures because Syncro itself is legitimate software abused for unauthorized remote access.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Alongside three ScreenConnect MSI siblings ... two Syncro/Servably MSI wrappers ... drop a byte-identical 5.6 MB Kabuto.Installer.Installer.InstallSyncro .NET payload ... MALWARE ... Syncro / Servably, Inc. (legitimate RMM abused via operator-tenant deployment alongside ScreenConnect)
Legitimate remote management tools, including Atera, AnyDesk, Syncro, SimpleHelp, and NetBird, were systematically abused to establish persistent remote access...
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques“Legitimate remote management tools … were systematically abused to establish persistent remote access, with attackers registering compromised trial accounts and impersonating credible organizations …”
credential-phishing serves as the initial-access vector, with a "technical interview" social-engineering pretext during which the operator drives an MFA-fatigue / SSPR-rotation sequence to seize Microsoft Entra ID accounts.
Instead of relying on malicious software that antivirus tools might catch and flag, they use legitimate remote access tools to blend in with normal IT activity.
MuddyWater began using "fully signed" and legitimate RMM tools as part of its attack chain in 2020, often by including links in phishing emails designed to trick victims into downloading and executing RMM installers.
Persistence
3 techniques“Legitimate remote management tools … were systematically abused to establish persistent remote access, with attackers registering compromised trial accounts and impersonating credible organizations …”
credential-phishing serves as the initial-access vector, with a "technical interview" social-engineering pretext during which the operator drives an MFA-fatigue / SSPR-rotation sequence to seize Microsoft Entra ID accounts.
Privilege Escalation
2 techniques“Legitimate remote management tools … were systematically abused to establish persistent remote access, with attackers registering compromised trial accounts and impersonating credible organizations …”
Stealth
2 techniques“Legitimate remote management tools … were systematically abused to establish persistent remote access, with attackers registering compromised trial accounts and impersonating credible organizations …”
Lateral Movement
1 techniqueTools listed include "AnyDesk", "ScreenConnect", "RemoteUtilities", "Syncro", "SimpleHelp".
Command and Control
2 techniquesMuddyWater began using "fully signed" and legitimate RMM tools as part of its attack chain in 2020... Legitimate software tied to such efforts has included Atera, N-Able, Remote Utilities, ScreenConnect, SimpleHelp and Syncro.
The final payload observed in these campaigns is ScreenConnect, a remote monitoring and management (RMM) tool used to control victim machines.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A legitimate RMM agent referenced as another remote access tool abused in related social-engineering activity to provide remote access to victim systems.
Legitimate RMM tool delivered via phishing (lures like invoices/orders/payments) to establish remote management/control on victim endpoints; noted as used by multiple threat actors.
Syncro is a legitimate remote access tool used for IT support and device management. In this campaign, attackers use their own signed builds of Syncro to gain unauthorized remote access to victims' machines, enabling full control, remote command execution, file transfer, and theft of sensitive data such as crypto wallet keys.
Legitimate RMM tool referenced as part of MuddyWater’s experimentation/abuse of RMM software for initial access/remote control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.