Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareRansomware

Fleetdeck

FleetDeck is a legitimate remote monitoring and management (RMM) / remote access tool that has been repurposed by cybercriminals in phishing and initial-access campaigns. Reported use cases in the provided content include platform-aware phishing in which a landing page fingerprinted victims and delivered FleetDeck to macOS users while delivering Tiflux RAT to Windows users. Proofpoint also observed increased use of FleetDeck in 2024-2025 as part of a broader shift toward legitimate RMM tools as first-stage payloads in email campaigns, alongside tools such as ScreenConnect and Atera. In these campaigns, RMM tooling is used to gain remote access, maintain persistence, perform reconnaissance, harvest credentials, enable lateral movement, support financial theft, and stage follow-on malware. FleetDeck was also observed in activity targeting trucking, freight, and logistics organizations, where threat actors used RMM and remote access tools including FleetDeck, ScreenConnect, SimpleHelp, PDQ Connect, N-able, and LogMeIn Resolve to gain initial access and persistent control; these intrusions were associated with cyber-enabled cargo theft and collaboration with organized crime groups. Additional reporting noted at least one low-volume threat cluster regularly using Bluetrait since October 2024 that also delivered FleetDeck with similar payment-themed lures and methods. The content does not provide FleetDeck-specific hashes or infrastructure, but it does characterize its delivery via phishing URLs and malicious executables/MSI installers in broader RMM campaigns.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence3

Threat actors are moving away from spray-n-pray phishing attacks in favor of campaigns that can automatically adapt to a target's device and operating system.

T1566.002Spearphishing LinkEvidence1

More recently, Cofense has seen examples of phishing campaigns that are even more targeted once the victim clicks a link or an attachment.

Command and Control

1 technique
T1219Remote Access ToolsEvidence7

Much of the malware Cofense has observed in multiplatform campaigns has been "technically legitimate remote access tools (RATs) that have been repurposed to act as remote access trojans..."

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app19 days ago
uri●●●●●●●●●●●●View more in app19 days ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.