MeshAgent
MeshAgent is an open-source remote access and remote monitoring/management (RMM) agent that is repeatedly described in the provided reporting as a dual-use tool abused by threat actors to obtain persistent remote control of compromised systems. Across the cited incidents, it is used as a secondary payload or persistence mechanism after phishing, fake software-update lures, malicious LNK files, PowerShell downloaders, MSI/EXE installers, ClickFix-style delivery, and fake CAPTCHA-gated download pages. Reported installation methods include silent deployment, Tactical RMM-driven installation, and delivery from phishing sites or compromised infrastructure, including MeshCentral servers.
The content links MeshAgent to multiple threat clusters and campaigns, including Kimsuky-associated phishing activity reported by AhnLab, UNC5687 phishing campaigns, PhantomCore operations, Russian actor activity reported by CERT-UA/Microsoft, ShadowSyndicate-associated tooling, Thor, and broader state-sponsored targeting of the defense sector. It is also referenced in campaigns using EV-signed malware impersonating Microsoft Teams, Zoom, Adobe Reader, and Google Meet, where attackers installed ScreenConnect, Tactical RMM, and MeshAgent to maintain redundant access and support lateral movement.
Capabilities directly described in the content include persistent remote access and remote management of infected systems. In some campaigns, other malware downloaded MeshAgent configuration files, or dropped MeshAgent as part of a broader intrusion set that also performed credential theft, browser and mail account theft, cookie theft, keylogging, clipboard theft, host reconnaissance, and file collection. On Android, reporting states MeshAgent was used in attacks mimicking battlefield management platforms to enable remote management and support cookie theft. In ransomware and post-compromise contexts, MeshAgent appears alongside other dual-use administration tools such as ScreenConnect, SimpleHelp, Tactical RMM, Netscan, Netexec, and modified Rustdesk.
High-confidence indicators and infrastructure details in the content include phishing domains with fake CAPTCHAs used to deliver MeshAgent samples and corresponding MeshCentral servers in PhantomCore activity; a PowerShell downloader tied to UNC5687 that decrypted the URL hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi to fetch a MeshAgent payload; and reporting that UNC5687-associated MeshAgent communicated with C2 domains linked to a service called AnonVNC. The content consistently characterizes MeshAgent as legitimate software repurposed by attackers for persistence, privileged remote access, and follow-on intrusion activity in enterprise, government, financial, and defense-related environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
To achieve persistence, attackers added new malicious users, utilized remote monitoring and management (RMM) tools such as MeshAgent...
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Post lazarusholic lazarusholic.bsky.social ... "‘보안 메일’도 안심 금물! 카드사 사칭 악성 파일 유포 중" published by Ahnlab. #Kimsuky, #LNK, #MeshAgent, #DPRK, #CTI
PhantomCore registers phishing domains with fake CAPTCHAs used to deliver MeshAgent samples, and domains for the corresponding MeshCentral servers.
Remote Access: An instance of MeshAgent is silently installed, providing the attackers with persistent remote control over the infected system.
"To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent."
ShadowSyndicate continues to be associated with toolkits including ... MeshAgent ...
"Threat Actor: UNC5687, known for using MESHAGENT in phishing campaigns... The campaign delivers MESHAGENT, an open-source remote access framework..."
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
6 techniquesT1583 Acquire Infrastructure QuadSwitcher acquired infrastructure to host their tooling.
PhantomCore registers phishing domains with fake CAPTCHAs used to deliver MeshAgent samples, and domains for the corresponding MeshCentral servers
PhantomCore gains access to servers of legitimate sites and later uses them to store samples of MeshAgent, PhantomTaskShell, and Rsocx
PhantomCore buys commercial software XenArmor All‑In‑One Password Recovery Pro and uploads the free utilities MeshAgent, RSocx, and Rclone
MITRE ATT&CK Mapping ... Resource Development Stage Capabilities: Upload Malware T1608.001 Dropbox-hosted payload
PhantomCore uploads MeshAgent and RSocx to directories on compromised legitimate sites and phishing sites, and uploads XenArmor All‑In‑One Password Recovery Pro and RClone to VPS servers
Initial Access
3 techniquesPhantomCore uses external services for remote access: SSH (tunneling) and MeshAgent
Quick Heal’s team has identified hacker group APT36 (Transparent Tribe) deploying CrimsonRAT malware through sophisticated phishing attacks along with an RMM tool known as MeshAgent, he said.
PhantomCore emails links to phishing sites that lead to MeshAgent being downloaded when visited
Execution
3 techniquesPhantomCore creates Windows Task Scheduler tasks on infected hosts: to run SSH tunnels and MeshAgent samples at 09:00–10:00, disguising task names as legitimate software updates and system services... to run PhantomTaskShell for 9,999 days... disguised as an admin service named SystemAdminAgent_<GUID>
PhantomCore lures users of targeted systems into clicking phishing links to download MeshAgent
MITRE ATT&CK Mapping ... Execution User Execution: Malicious File T1204.002 Victim runs "VMware vSphere Client"
Persistence
3 techniquesPhantomCore creates Windows Task Scheduler tasks on infected hosts: to run SSH tunnels and MeshAgent samples at 09:00–10:00, disguising task names as legitimate software updates and system services... to run PhantomTaskShell for 9,999 days... disguised as an admin service named SystemAdminAgent_<GUID>
PhantomCore uses external services for remote access: SSH (tunneling) and MeshAgent
Privilege Escalation
2 techniquesPhantomCore creates Windows Task Scheduler tasks on infected hosts: to run SSH tunnels and MeshAgent samples at 09:00–10:00, disguising task names as legitimate software updates and system services... to run PhantomTaskShell for 9,999 days... disguised as an admin service named SystemAdminAgent_<GUID>
Stealth
4 techniques“The script employs a custom obfuscation routine resembling the RC4 stream cipher to conceal the malicious URL… The obfuscated URL, stored as a byte array, is decrypted using the F function with ‘tox2’ as the key.”
At the end of August 2024, QuadSwitcher compromised a technology company in Western Europe, downloading PuTTY from http://130.185.75[.]198:8000/plink.exe using certutil.exe ... The threat actor also downloaded MeshAgent ... also via certutil.exe.
“download … Scan_docs%2398097960.msi … Execution: Finally, the script executes the downloaded file.”
"modified a Windows Registry value SystemComponent=1 to hide MeshAgent from the 'Programs and Features' list."
Discovery
1 techniqueMITRE ATT&CK Mapping ... Discovery System Information Discovery T1082 Hardware inventory via MeshAgent
Lateral Movement
1 technique...deploying web shells or legitimate remote monitoring and management (RMM) software for lateral movement...
Collection
1 techniqueMITRE ATT&CK Mapping ... Collection Screen Capture T1113 MeshAgent KVM capability
Command and Control
5 techniquesT1071 Application Layer Protocol In Play intrusions, payloads are retrieved via HTTP.
It installs as a Windows service, connects over WebSocket TLS on port 443, and waits for commands.
Curl을 이용해 지정된 주소에서 pipe.log 파일을 %LocalAppData% 경로로 다운로드... 각 URL로부터 추가 악성 파일을 %LocalAppData% 경로에 다운로드한다.
MITRE ATT&CK Mapping ... Command and Control Encrypted Channel: Asymmetric Crypto T1573.002 TLS with self-signed MeshCentral CA
Impact
2 techniquesdropping tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data
dropping tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MeshAgent is referenced as a named tool/malware in an AhnLab post about malicious file distribution impersonating a card company, with Kimsuky-related tagging.
Referenced as a remote management tool whose configuration files are downloaded by another malicious component during the intrusion.
RMM agent used as an attacker-installed backdoor for persistence and remote control.
An RMM agent component (commonly associated with MeshCentral-style deployments) leveraged for persistent remote access and management of compromised hosts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.