Remote Utilities
Remote Utilities is a legitimate commercial remote administration / remote monitoring and management (RMM) tool, also referred to in the provided content as RuRat, that has been used by threat actors to obtain interactive remote control of victim systems. The content links its abuse to multiple clusters and campaigns, including CERT-UA-tracked UAC-0096 phishing activity in Ukraine, broader UAC-0050 operations, Asylum Ambuscade, and the Curly COMrades espionage cluster.
In the UAC-0096 campaign, phishing emails spoofed as the Apparatus of the National Security and Defense Council of Ukraine used the subject "RE: Критичне оновлення безпеки" and delivered a RAR archive named "KB5017371 оновлення системи безпеки.rar." The archive contained a decoy image and split archives that ultimately delivered "KB5017371.exe"; executing it installed Remote Utilities on the victim host. CERT-UA associated this activity with sender gromada@rnbo.gov.ua and published related file, host, registry, service, and network indicators. Artifacts mentioned for this activity include %PROGRAMDATA%\Remote Utilities, %PROGRAMFILES%\Remote Utilities - Host, %PROGRAMFILES(X86)%\Remote Utilities - Host, registry key HKLM\SOFTWARE\Usoris\Remote Utilities Host, service name RManService, and binaries including rfusclient.exe and rutserv.exe. Reported hashes include KB5017371.exe SHA-256 6b47e87c631bbf2e48013a68f6497e4ea18220f59c53882b6b57377204a20ccf, host-7.1.7.0_unsigned.msi SHA-256 51cbc75ef2f4b4ae0febfe6b8dd50973132b19b12273e4703a9633b54b1f5e2a, rfusclient.exe SHA-256 02003563373af3215195ca0c23af03f845921fcfa31f58770927266b03c2ac40, and rutserv.exe SHA-256 f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5. CERT-UA also listed related IPs and TCP endpoints including 111.90.148.194:5651, 111.90.148.194:8080, 111.90.148.190:5651, 111.90.148.199:5651, 111.90.148.197:8080, 101.99.93.104:5651, 101.99.93.109:8080, 101.99.91.170:5651, 101.99.91.179:5651, 101.99.91.167:5651, 101.99.91.158:5651, 101.99.91.19:5651, and 101.99.91.76:5651.
CERT-UA also stated that Remote Utilities was one of at least five malware/tool families used across at least 15 campaigns attributed to UAC-0050 as of 22 February 2024, alongside REMCOS RAT, QUASAR RAT, VENOM RAT, and LUMMASTEALER. In that reporting, affected sectors in Ukraine included government, energy, finance, healthcare, and information technology, and CERT-UA warned that credential theft and resulting compromised accounts could enable follow-on access to internal resources.
Asylum Ambuscade used Remote Utilities as an additional payload in both crimeware and espionage intrusion chains. According to the content, the group commonly gains initial access through spearphishing with malicious Office documents, including Follina exploitation, or through malicious Google Ads / 404 TDS redirections that lead victims to execute obfuscated JavaScript. First-stage downloaders such as SunSeed then install AHKBOT or NODEBOT, whose plugin ecosystem supports surveillance and credential theft and can download and launch additional payloads including Cobalt Strike and Remote Utilities RAT. Reported targets include bank customers, cryptocurrency traders, SMBs, and government entities in Europe and Central Asia, including European government staff assisting Ukrainian refugees and officials or state-owned company employees in Central Asia and Armenia.
Bitdefender reported that Curly COMrades, an espionage cluster assessed as aligned with Russian geopolitical interests, also deployed the legitimate RMM tool Remote Utilities for additional access, installing it as a service named RemUtSvc. In that reporting, targets included judicial and government bodies in Georgia and an energy distribution company in Moldova. The group’s broader objectives were long-term access, credential theft, lateral movement, and data theft, with repeated attempts to extract NTDS.dit and dump LSASS.
Overall, the provided content characterizes Remote Utilities as a legitimate commercial remote access product that is repeatedly repurposed by threat actors for persistence and hands-on remote control after phishing- or downloader-based infection chains.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group has also been observed installing legitimate remote access tools like Remote Utilities (RuRat) and commercial RMM software for interactive control.
...застосовано... шкідливих програм: REMCOS RAT, QUASAR RAT, VENOM RAT, REMOTE UTILITIES та LUMMASTEALER.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques"...для проникнення до мережі зловмисники використовували скомпрометовані облікові записи VPN..."
In instances where FIN12 leveraged UNC2053 for initial access, we observed BAZARLOADER payloads distributed via malicious email campaigns.
In one intrusion, a threat cluster distributed internal phishing emails that contained a malicious Excel attachment which used an ETTERCELL macro downloader to retrieve a copy of Remote Utilities remote access software.
MuddyWater began using "fully signed" and legitimate RMM tools as part of its attack chain in 2020, often by including links in phishing emails designed to trick victims into downloading and executing RMM installers.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueCommand and Control
1 techniqueMuddyWater began using "fully signed" and legitimate RMM tools as part of its attack chain in 2020... Legitimate software tied to such efforts has included Atera, N-Able, Remote Utilities, ScreenConnect, SimpleHelp and Syncro.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate remote access/RMM tooling abused for interactive access and control of victim systems.
Legitimate remote administration/RMM software abused to maintain interactive access and persistence (installed as a service) after initial compromise.
Legitimate commercial remote administration tool abused as a RAT to provide full interactive control of compromised hosts; delivered via an AHKBOT plugin.
Legitimate remote administration software abused to provide remote control/persistent access on victim hosts; installed via a malicious executable delivered in a phishing email attachment (RAR/split-archive).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.