Threat Actors Weaponizing RMM Tools to Gain System Control and Exfiltrate Data

Adversaries are using Remote Monitoring and Management (RMM) tools more frequently as dual-purpose weapons for initial access and persistence in the constantly changing world of cyber threats.

These legitimate software solutions, typically employed by IT professionals for system administration, are being co-opted by threat actors to facilitate unauthorized remote control, data exfiltration, ransomware deployment, and proxy-based attacks.

A recent campaign observed in the wild exemplifies this trend, where attackers deployed two RMM agents Atera and Splashtop Streamer within a single malicious payload, ensuring redundancy and resilience against detection.

This approach not only amplifies the attacker’s operational flexibility but also complicates incident response, as the removal of one RMM instance leaves the other intact for continued exploitation.

The attack chain begins with a compromised Microsoft 365 email account, exploiting trust in familiar platforms to distribute phishing lures disguised as innocuous file shares.

By impersonating OneDrive notifications, complete with branded icons ...