Threat Actors Expand Remote Monitoring and Management Abuse With Fake RMM Malware
Proofpoint reported a new malware-as-a-service (MaaS) offering that masquerades as a legitimate remote monitoring and management (RMM) product, branding itself as TrustConnect (delivered as “TrustConnect Agent”). Proofpoint assessed with moderate confidence that the actor behind TrustConnect was also a prominent user of Redline stealer, and said it worked with intelligence partners to disrupt parts of the malware’s infrastructure; the actor quickly showed resilience by standing up another fake RMM-themed site advertising a related malware variant called DocConnect. Proofpoint highlighted that attackers continue to favor RMM-style tooling for initial access and post-compromise control because it blends into normal enterprise remote support activity.
Separately, Dark Reading summarized findings from Huntress’ 2026 Cyber Threat Report indicating a broad surge in RMM abuse as an intrusion strategy, citing a 277% year-over-year increase in malicious RMM deployments and a corresponding decline in traditional malware usage. The report described RMM tooling as attractive to threat actors for stealth, persistence, and operational efficiency, and noted commonly abused products including ConnectWise ScreenConnect, AnyDesk, Atera, NetSupport, PDQ Connect, and Splashtop, with healthcare and technology seeing the largest increases. Together, the reporting underscores both the industrialization of RMM abuse and the emergence of purpose-built “fake RMM” malware offerings designed to look like enterprise remote support software.
Related Entities
Organizations
Affected Products
Sources
1 more from sources like dark reading
Related Stories
Surge in Cyberattacks Leveraging RMM Tools for Malware Deployment
Cybercriminals have increasingly targeted remote monitoring and management (RMM) tools to deploy malware and conduct large-scale cyberattacks. In 2025, attacks on RMM tools surged, with 51 different solutions identified as targets by security researchers. RMM tools, which became more prevalent during the COVID-19 pandemic to support remote work, are now being weaponized by threat actors due to their deep integration into enterprise IT environments. These tools, such as SuperOps and TeamViewer, are commonly used by IT professionals and managed service providers (MSPs) to remotely monitor, manage, and maintain client systems through centralized dashboards. Adversaries exploit these platforms by obtaining authenticated credentials, allowing them to bypass traditional security alerts and alarms. Once inside, attackers can disable scheduled backups, destroy system images and restore points, and push ransomware or other malicious payloads to thousands of endpoints simultaneously. The legitimate appearance of RMM tool traffic often allows malicious activity to evade anomaly detection systems, creating a persistent blind spot for network defenders. The elevated permissions typically granted to RMM platforms enable attackers to escalate privileges, move laterally within networks, and deliver malware efficiently. Compromising an MSP’s RMM infrastructure can have a supply chain effect, enabling attackers to pivot into multiple client environments and significantly amplifying the potential impact. This method of attack not only increases the blast radius but also enhances the monetization opportunities for cybercriminals. Security experts warn that the widespread use and trust in RMM tools make them an attractive and effective vector for cyberattacks. Organizations are urged to implement stronger authentication, monitor RMM tool usage closely, and restrict access to minimize risk. The trend highlights the need for enhanced vigilance and updated security controls around remote access and management solutions. The attacks demonstrate how tools designed for convenience and efficiency can become significant liabilities if not properly secured. The ongoing exploitation of RMM tools underscores the evolving tactics of cybercriminals in targeting trusted IT infrastructure. As attackers continue to refine their methods, defenders must adapt by prioritizing the security of remote management platforms. The surge in RMM tool exploitation serves as a stark reminder of the importance of supply chain security and the risks posed by third-party service providers. Organizations should review their incident response plans to ensure rapid detection and containment of attacks involving RMM platforms. The cybersecurity community continues to monitor this threat landscape, emphasizing the critical need for proactive defense measures.
5 months ago
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
3 weeks ago
Phishing Campaigns Abuse Digital Invites and Fake Meeting Pages to Steal Credentials and Deploy RMM Tools
Threat actors are abusing the familiarity of **digital invitation and meeting platforms** to increase phishing success rates. Cofense reported malicious *Punchbowl/Paperless Post*-themed invitations that prompt recipients to “log in to view event details,” then redirect to phishing infrastructure offering branded sign-in options (e.g., **Microsoft, Yahoo, AOL, Google, Dropbox**) to harvest credentials. The phishing flow may solicit multiple credential sets by returning fake login errors and urging users to try alternate accounts; submitted credentials are exfiltrated to attacker-controlled domains, often leveraging newly registered domains to evade reputation-based defenses. Separately, Netskope research (reported by KnowBe4) described **fake video meeting invites** for *Zoom, Microsoft Teams, Google Meet,* and similar services that lead to spoofed “join meeting” pages showing purported coworkers already on the call. Victims are instructed to install a required “update” to join; the payload is a **digitally signed remote monitoring and management (RMM) tool** such as *Datto RMM, LogMeIn,* or *ScreenConnect*, enabling remote access and potential follow-on activity including data theft or deployment of additional malware. The use of legitimate, signed RMM software can blend into normal enterprise traffic and may bypass controls where such tools are pre-approved.
2 weeks ago