Phishing Campaigns Exploit RMM Tools to Sustain Remote Access

A sophisticated phishing operation in which attackers deploy remote monitoring and management (RMM) tools—ITarian (formerly Comodo), PDQ Connect, SimpleHelp, and Atera—to gain persistent remote access to compromised systems.

By disguising malicious installers as legitimate browser updates, meeting or party invitations, and government forms, adversaries exploit users’ trust in commonly used IT administration software.

Security researchers at Red Canary Intelligence and Zscaler threat hunters have uncovered RMM-based phishing by first establishing a strict allowlist of sanctioned remote administration tools and baseline behaviors for each.

Attackers have centered this campaign around four distinct social engineering lures. The fake browser update ploy redirects users from sports or medical-care themed websites to an overlay prompting a “Chrome update.”

Beneath the full-screen iframe lies injected JavaScript that fingerprint browsers, harvest geolocation data via language settings, and funnel interaction logs to command-and-control (C2) domains such as panelswp ...