MalwareRansomware

Rustdesk

RustDesk is a legitimate open-source remote desktop and remote monitoring/management tool that has been abused by threat actors as a post-compromise access mechanism. The provided reporting describes deployment of custom-compiled or modified RustDesk binaries for persistence and remote access in intrusions, including a case where a French-speaking actor tracked as Poisson installed a custom RustDesk build after privilege escalation and scheduled-task persistence, and multiple reports of attackers using modified RustDesk variants masquerading as "WinZip Remote Desktop." RustDesk was also observed in ransomware-related operations: SentinelOne reported Akira using the open-source RustDesk remote access tool to navigate compromised networks, describing Akira as the first known ransomware group to abuse the software, and reporting noted that RustDesk provides stealthy cross-platform access, encrypted peer-to-peer connections, and file-transfer capability across Windows, macOS, and Linux. In separate November 2025 Osiris ransomware intrusions against a major food service franchisee operator in Southeast Asia, attackers deployed a heavily modified/custom version of RustDesk disguised with a WinZip icon and the file description "WinZip Remote Desktop" alongside other dual-use tools. High-confidence indicators and artifacts directly mentioned in the content include modified RustDesk binaries, RustDesk firewall rules as persistence artifacts, and the masquerading description/name "WinZip Remote Desktop."

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques

T1583.003Virtual Private ServerEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Resource Development Acquire Infrastructure: VPS T1583.003

T1588.003Code Signing CertificatesEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Resource Development Obtain Capabilities: Code Signing Certificates T1588.003

Initial Access

2 techniques

T1133External Remote ServicesEvidence2

Instead of relying on malicious software that antivirus tools might catch and flag, they use legitimate remote access tools to blend in with normal IT activity.

T1189Drive-by CompromiseEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Initial Access Drive-by Compromise T1189

Execution

2 techniques

T1053Scheduled Task/JobEvidence1

T1053 – Scheduled Task/Job Various scheduled tasks were executed.

T1204.002Malicious FileEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Execution User Execution: Malicious File T1204.002

Persistence

3 techniques

T1053Scheduled Task/JobEvidence1

T1053 – Scheduled Task/Job Various scheduled tasks were executed.

T1133External Remote ServicesEvidence2

Instead of relying on malicious software that antivirus tools might catch and flag, they use legitimate remote access tools to blend in with normal IT activity.

T1543.003Windows ServiceEvidence1

T1543.003 - Create or Modify System Process: Windows Service Various Windows services were created across multiple compromised systems to establish remote access.

Privilege Escalation

2 techniques

T1053Scheduled Task/JobEvidence1

T1053 – Scheduled Task/Job Various scheduled tasks were executed.

T1543.003Windows ServiceEvidence1

T1543.003 - Create or Modify System Process: Windows Service Various Windows services were created across multiple compromised systems to establish remote access.

Stealth

2 techniques

T1036.005Match Legitimate Resource Name or LocationEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Defense Evasion Masquerading: Match Legitimate Name T1036.005

T1070Indicator RemovalEvidence1

RustDesk usage was erased by the threat actor using commands such as: taskkill /F /IM RustDesk.exe /FI "PID ne 6824" reg delete HKEY_CLASSES_ROOT\rustdesk /f netsh advfirewall firewall delete rule name="RustDesk Service"

Defense Impairment

1 technique

T1553.002Code SigningEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Defense Evasion Subvert Trust Controls: Code Signing T1553.002

Lateral Movement

1 technique

T1021Remote ServicesEvidence2

For this purpose, Scattered Spider established persistence using VPN access or Remote Monitoring and Management (RMM) tools.

Command and Control

4 techniques

T1071.001Web ProtocolsEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Command and Control Application Layer Protocol: Web T1071.001

T1090ProxyEvidence1

The attackers use AnyDesk, Cloudflare Tunnel, RustDesk, Ngrok, and Cloudflare Tunnel to communicate with the command-and-control (C&C).

T1105Ingress Tool TransferEvidence2

Beyond data collection, the implant can silently download and install RustDesk or AnyDesk, giving the attacker live remote desktop access without any visible window appearing on screen.

T1219Remote Access ToolsEvidence12

installed a custom-compiled RustDesk remote desktop tool as a backup channel... RustDesk: Custom-compiled remote desktop with the operator’s relay config. A secondary channel independent of Havoc.

Exfiltration

1 technique

T1048Exfiltration Over Alternative ProtocolEvidence1

Supports file transfer which can facilitate data exfiltration, streamlining Akira's toolkit.

Other

1 technique

T1562.004Disable or Modify System FirewallEvidence1

This firewall rule was added: netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

8 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in apptoday

hash.sha256●●●●●●●●●●●●View more in apptoday

ip.v4●●●●●●●●●●●●View more in app1 month ago

domain●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

catonetworksNews

Jun 16, 2026

Operation Poisson Under the Spotlight | Cato Networks

RustDesk was used as a custom-compiled remote desktop backdoor and secondary access channel independent of Havoc.

security online infoNews

Jan 26, 2026

"Osiris" Rises: New Ransomware Targets Southeast Asian Food Giant with Advanced Tactics

Legitimate remote desktop software referenced as being used in modified form during the campaign, likely to support remote access/persistence prior to ransomware execution.

security affairsNews

Jan 24, 2026

Osiris ransomware emerges, leveraging BYOVD technique to kill security tools

Modified RustDesk remote access/RMM tool used for access/control, altered to masquerade as 'WinZip Remote Desktop' (icon and file description) to reduce suspicion during the intrusion preceding ransomware execution.

the hacker newsNews

Jan 22, 2026

New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack

Remote desktop software (customized in this case) used to provide interactive remote access during the intrusion leading to ransomware deployment.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.