Tactical RMM
Tactical RMM is a legitimate remote monitoring and management (RMM) tool that has been repeatedly repurposed by threat actors for malicious remote administration, persistence, and post-exploitation access. In the provided reporting, it appears primarily in Linux and Windows intrusion chains as a secondary payload rather than as an initial access vector.
BI.ZONE documented Tactical RMM in campaigns exploiting CVE-2025-55182 (React2Shell) against vulnerable React Server Components deployments. In those cases, attackers downloaded Tactical RMM as ELF executables from 156.67.221[.]96 via a meshagents path, and the deployed Mesh agent was configured to connect to wss://156.67.221[.]96:443/agent.ashx. The same reporting places Tactical RMM alongside other post-exploitation tooling including CrossC2 for Cobalt Strike, VShell, EtherRAT, SSH key persistence scripts, reconnaissance tooling, and XMRig. These campaigns targeted organizations including insurance, e-commerce, and IT entities, with non-Russia-focused activity specifically noted as delivering Tactical RMM among other Linux-oriented payloads.
Microsoft Defender Experts also reported Tactical RMM in February 2026 phishing campaigns in which malware masquerading as Microsoft Teams, Zoom, Adobe Reader, Google Meet, and related workplace software was digitally signed with an EV certificate issued to TrustConnect Software PTY LTD. After execution, the malware established persistence by copying itself into Program Files, registering as a Windows service, creating the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value TrustConnectAgent, contacting trustconnectsoftware.com, and running encoded PowerShell commands to download additional payloads. In that activity, attackers deployed Tactical RMM, which subsequently installed MeshAgent, providing redundant remote access and supporting persistence and lateral movement.
Additional reporting cited Tactical RMM as prevalent malicious C2-associated tooling in infrastructure studies. Hunt.io observed Tactical RMM as the most prevalent malware family in one Middle East dataset with 92 unique C2 IPs, and also identified it across Russian-hosted malicious infrastructure with 87 endpoints, where it was grouped with offensive frameworks such as Cobalt Strike, Sliver, and Ligolo-ng that had been repurposed for malicious use. Tactical RMM was also mentioned in activity associated with actors using LockBit and Babuk ransomware, where it and MeshAgent were used to maintain persistence.
High-confidence indicators directly tied to Tactical RMM in the provided content include download/source infrastructure at 156.67.221[.]96 and Mesh agent connectivity to wss://156.67.221[.]96:443/agent.ashx. Across the cited incidents, its observed role is consistent: remote administration, long-term access, persistence, and support for broader intrusion objectives.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In these attacks, threat actors deployed a wider range of malware, including the CrossC2 implant for Cobalt Strike, the Tactical RMM remote administration tool, the VShell loaders and backdoor, and the EtherRAT remote access trojan. | The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... React2Shell is a vulnerability in the Flight protocol, which facilitates client-server communication for React Server Components. The vulnerability stems from insecure deserialization... Under certain conditions, this can enable an attacker to execute arbitrary code on the server.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
While exploiting the React2Shell vulnerability, threat actors downloaded Tactical RMM... Script 3 ... After identifying a host vulnerable to React2Shell, it exploits the vulnerability to download and execute a payload script
Microsoft Defender Experts identified multiple phishing campaigns... The campaigns used workplace meeting lures, PDF attachments... Phishing emails directed users to download malicious executables masquerading as legitimate software.
In one observed campaign, victims received the following email which included a fake PDF attachment... A red button labeled “Open in Adobe” encouraged the user to click... when clicked... redirects users to a spoofed webpage crafted to closely mimic Adobe’s official download center.
Execution
2 techniques
Execution
Stealth
1 technique
Stealth
Lateral Movement
1 technique
Lateral Movement
Command and Control
4 techniques
Command and Control
The a_x86 / a_x64 files use the same C2 server: 154.89.152[.]240:443 ... MeshServer=wss://156.67.221[.]96:443/agent.ashx ... The malware sends a query to this C2 server ... GET /api/{rand4hex}/{botID}/...
At this stage, the service established an outbound network connection to the attacker-controlled Command and Control (C2) domain: trustconnectsoftware[.]com
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A legitimate remote management tool abused for post-exploitation command-and-control activity across Middle Eastern infrastructure.
Remote monitoring and management tool observed as part of the malicious infrastructure dataset.
A remote management framework observed in the infrastructure and repurposed for malicious use.
Legitimate RMM tool abused to maintain persistent access after initial phishing/signed-malware execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.