PDQ Connect
PDQ Connect is a legitimate cloud-based remote monitoring and management (RMM) tool that has been repeatedly abused by threat actors as a remote-access capability rather than a traditional malware family. Reported abuse includes use by the Iranian APT group MuddyWater/TA450 and by cybercriminal activity tracked by Proofpoint, including TA558 and clusters targeting trucking and logistics firms for cargo theft. It has also appeared in generalized crimeware activity. Observed malicious use includes social-engineering victims into installing signed PDQ Connect MSI packages, including lures themed as Social Security statements such as ssa.msi, phishing and fake software-download pages impersonating products such as Notepad++, 7-Zip, Telegram, ChatGPT, and OpenAI, and delivery via malicious .exe or .msi files in logistics-focused campaigns. Once installed, attackers have used PDQ Connect for remote control and follow-on payload delivery, including installation of PatoRAT, and it has been observed downloading or deploying additional RMM tools such as ScreenConnect and SimpleHelp in tandem to preserve access. The tool provides software/package distribution, patch management, inventory, and remote-control functionality, which makes abuse blend with legitimate IT activity and evade some conventional detections because the binaries are signed and the infrastructure is legitimate. High-confidence artifacts mentioned in the content include storage of the API key at C:\ProgramData\PDQ\PDQConnectAgent\token and AhnLab EDR detection name Execution/EDR.PDQConnect.M12920. Red Canary reported that abuse of PDQ Connect largely diminished after PDQ rolled out new signed builds and updates in October 2025.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PDQ Connect is a newer, cloud-based RMM that has seen abuse from APT groups like MuddyWater. While it has previously appeared in generalized crimeware, PDQ Connect abuse has largely diminished following the company’s rollout of new signed builds and updates in October 2025.
While the actor favors VenomRAT, TA558 also distributes other commodity malware including njRAT, Remcos RAT, and recently XWorm and PDQ Connect.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
"AnyDesk deployed for persistent remote access without IT authorisation"; "Abuse of legitimate RMM tools (Syncro, PDQ Connect) installed by third-party IT integrators on OT networks"
SimpleHelp ... is often used in phishing campaigns involving “invitation” lures in which the victim is encouraged to download and execute an invite to a party (e.g. Ecard9140.exe ).
A common lure is themed as a Social Security statement ( ssa.msi ) in an attempt to convince the victim they need to run the file to retrieve their statement.
The initial infection occurs via specially crafted spam messages purporting to be from financial institutions or cell phone carriers with an overdue bill or electronic receipt of payment issued as an NF-e... Both messages link to a Dropbox file, which contains the malicious binary installer for the RMM tool.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Stealth
3 techniques
Stealth
Even when the file is renamed to something like party_invite.exe , or Voicemailaudioext.exe ... A common lure is themed as a Social Security statement ( ssa.msi ) ... using lures such as a document ( docmentfilecsm_jw98evavuqm5gb3.exe ) or an IRS tax-related file ( IRS-Statement_Pr2ui4J9cfA6YEu.exe ).
Lateral Movement
1 technique
Lateral Movement
Over the last few years, threat actors have flocked to exploit legitimate remote monitoring and management (RMM) tools—blue-chip IT software like ScreenConnect, LogMeIn Resolve, and PDQ Connect—blurring the line between legitimate IT administration and malicious intrusion.
Command and Control
4 techniques
Command and Control
Instead of leveraging them for initial access points to simply drop malware, attackers now use RMMs as 'a unified control hub' for command-and-control (C2) purposes as well as attack path redundancy.
The network traffic these tools create is also disguised as regular traffic, with many tools using communication over HTTPS and connecting to resources which are part of the infrastructure provided by the application provider.
IOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cloud-based remote monitoring and management tool abused through signed MSI installers, often delivered with phishing lures. Attackers use it for remote access and as a stepping stone to deploy additional tools, commonly ScreenConnect.
Legitimate RMM tool abused to obtain remote execution/control and to deploy follow-on payloads (notably PatoRAT).
PDQ Connect, a legitimate RMM tool, is being misused by attackers who trick victims into installing it, granting the attackers remote access to the system. This approach allows attackers to bypass many security controls as the tool is trusted and commonly used for IT support.
Tool/payload observed in TA558 campaigns alongside VenomRAT.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.