Abuse of Legitimate Remote Access Tools for Lateral Movement and Persistence
Threat actors are increasingly leveraging legitimate remote access tools, such as PuTTY and various remote monitoring and management (RMM) platforms, to facilitate lateral movement, data exfiltration, and persistent access within compromised networks. Attackers exploit the "living off the land" nature of these tools, blending their malicious activities with normal administrative operations to evade detection. In the case of PuTTY, adversaries use binaries like plink.exe and pscp.exe to move laterally and exfiltrate sensitive data, often leaving behind subtle forensic traces such as SSH host keys in the Windows registry. These artifacts can be crucial for investigators to reconstruct attacker activity, even after extensive log and artifact cleanup by the attackers.
Similarly, security researchers have observed a surge in incidents where multiple RMM tools are abused in attack chains. Threat actors compromise or install RMM platforms like ScreenConnect, TeamViewer, Atera, NinjaRMM, and GoTo Resolve to maintain long-term access and persistence. Attackers often use phishing lures to trick victims into installing rogue RMM software, and may deploy several RMM tools in succession to ensure continued access even if one is detected and removed. These tactics highlight the ongoing challenge for defenders in distinguishing between legitimate and malicious use of remote access utilities, underscoring the need for robust monitoring and baselining of such tools within enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Recent campaigns use SEO-poisoned PuTTY downloads to deliver Oyster backdoor
The report described recent campaigns in which SEO-poisoned PuTTY downloads were used to install the Oyster backdoor, enabling further compromise and data theft. It also linked similar SSH-based tradecraft to actors including DarkSide operators and North Korean APTs.
Researchers highlight PuTTY abuse for lateral movement and exfiltration
Cyber Security News reported that attackers are increasingly using the legitimate PuTTY SSH client and components such as plink.exe and pscp.exe for stealthy lateral movement and data exfiltration in compromised Windows networks. The report noted that registry artifacts under PuTTY's SSH host key storage can help investigators reconstruct attacker activity even after filesystem evidence is removed.
Huntress SOC detects and disrupts multi-RMM intrusion attempts
Huntress said its SOC identified and neutralized several incidents involving rogue RMM deployments, often before the attackers could escalate privileges or deliver additional payloads. The company also published indicators of compromise including suspicious domains and file paths tied to the abuse.
Threat actors adopt legitimate RMM tools for initial access and persistence
Huntress reported observing attackers increasingly abuse legitimate remote monitoring and management tools such as ScreenConnect, GoTo Resolve, SimpleHelp, PDQ, and ITarian to gain access and maintain persistence in victim environments. In multiple incidents, attackers chained several RMM tools together after phishing-based social engineering lures to improve redundancy and evade detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Surge in Cyberattacks Leveraging RMM Tools for Malware Deployment
Cybercriminals have increasingly targeted remote monitoring and management (RMM) tools to deploy malware and conduct large-scale cyberattacks. In 2025, attacks on RMM tools surged, with 51 different solutions identified as targets by security researchers. RMM tools, which became more prevalent during the COVID-19 pandemic to support remote work, are now being weaponized by threat actors due to their deep integration into enterprise IT environments. These tools, such as SuperOps and TeamViewer, are commonly used by IT professionals and managed service providers (MSPs) to remotely monitor, manage, and maintain client systems through centralized dashboards. Adversaries exploit these platforms by obtaining authenticated credentials, allowing them to bypass traditional security alerts and alarms. Once inside, attackers can disable scheduled backups, destroy system images and restore points, and push ransomware or other malicious payloads to thousands of endpoints simultaneously. The legitimate appearance of RMM tool traffic often allows malicious activity to evade anomaly detection systems, creating a persistent blind spot for network defenders. The elevated permissions typically granted to RMM platforms enable attackers to escalate privileges, move laterally within networks, and deliver malware efficiently. Compromising an MSP’s RMM infrastructure can have a supply chain effect, enabling attackers to pivot into multiple client environments and significantly amplifying the potential impact. This method of attack not only increases the blast radius but also enhances the monetization opportunities for cybercriminals. Security experts warn that the widespread use and trust in RMM tools make them an attractive and effective vector for cyberattacks. Organizations are urged to implement stronger authentication, monitor RMM tool usage closely, and restrict access to minimize risk. The trend highlights the need for enhanced vigilance and updated security controls around remote access and management solutions. The attacks demonstrate how tools designed for convenience and efficiency can become significant liabilities if not properly secured. The ongoing exploitation of RMM tools underscores the evolving tactics of cybercriminals in targeting trusted IT infrastructure. As attackers continue to refine their methods, defenders must adapt by prioritizing the security of remote management platforms. The surge in RMM tool exploitation serves as a stark reminder of the importance of supply chain security and the risks posed by third-party service providers. Organizations should review their incident response plans to ensure rapid detection and containment of attacks involving RMM platforms. The cybersecurity community continues to monitor this threat landscape, emphasizing the critical need for proactive defense measures.
Mar 21, 2026
Ransomware Gangs Abuse Legitimate Remote Access Tools to Evade Security Controls
Ransomware operators are increasingly leveraging legitimate remote access tools (RATs) such as AnyDesk, Splashtop, UltraViewer, AppAnywhere, RustDesk, CloneDesk, and TightVNC to facilitate their attacks and bypass traditional security measures. These tools, originally intended for IT administration and remote support, are being misused by cybercriminals to gain persistent, stealthy access to victim networks. Attackers exploit the fact that these RATs are often whitelisted and trusted within enterprise environments, allowing them to evade endpoint detection and response (EDR) solutions and other security controls. The use of legitimate RATs enables adversaries to connect to compromised systems without user interaction, transfer malicious binaries, exfiltrate sensitive data, and execute administrative tasks remotely. Encrypted communications provided by these tools further help attackers avoid network monitoring and detection. Security researchers have observed a trend where ransomware gangs prefer these off-the-shelf RATs over custom malware, as their legitimate signatures and widespread use make them less likely to raise suspicion. The abuse of these tools is often facilitated by poor configuration, lack of monitoring, or inadequate management within organizations. Once inside a network, attackers use RATs to move laterally, harvest credentials, and disable security defenses before deploying ransomware payloads. The sophistication of these campaigns has increased, with adversaries employing advanced evasion techniques and maintaining long-term persistence. Organizations are advised to review their use of remote access tools, ensure proper configuration, and monitor for unusual activity associated with these applications. Security teams should also consider implementing stricter application whitelisting and network segmentation to limit the potential impact of RAT abuse. The trend highlights the need for continuous vigilance and updated security policies to address the evolving tactics of ransomware operators. The exploitation of trusted IT tools for malicious purposes underscores the importance of balancing operational convenience with robust security oversight. As ransomware attacks continue to evolve, defenders must adapt their detection and response strategies to account for the abuse of legitimate software. The growing reliance on RATs by threat actors represents a significant challenge for organizations seeking to protect their networks from ransomware threats. Proactive monitoring, user education, and regular security assessments are critical components in mitigating the risks associated with the misuse of remote access tools. Failure to address these vulnerabilities can result in significant data loss, operational disruption, and financial damage due to ransomware incidents.
Mar 21, 2026
Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including **Action1**, **ScreenConnect**, **HeartbeatRM**, **AnyDesk**, **Atera**, and **SimpleHelp**, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists. Huntress also linked a sustained rise in compromises involving **Bomgar** instances to exploitation of **`CVE-2026-1731`**, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to **Domain Admins**, ran reconnaissance with **NetScan** and **`nltest.exe`**, deployed suspicious drivers such as **PoisonX.sys** and **HRSword.exe**, and in several cases launched **LockBit** or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
Apr 30, 2026