RMM tools were built to give IT teams remote control over the systems they manage. Attackers figured out that the same capabilities make them ideal weapons — and they've spent the last two years building entire intrusion playbooks around them. RMM abuse surged 277% in 2025. This is how it works, what it looks like in the wild, and why it's so hard to stop.
Remote monitoring and management software occupies an unusual position in enterprise security. It's signed by legitimate vendors, trusted by endpoint defenses, and often already installed on the machines attackers want to reach. For IT administrators, these properties are exactly the point. For threat actors, they represent an almost perfect evasion mechanism. When an attacker runs ScreenConnect or SimpleHelp on a compromised host, security tools see a legitimately signed binary performing actions that are entirely consistent with normal administrative work. The malicious activity doesn't announce itself — it blends in.
This is the core of the RMM abuse problem, and it has grown into one of the defining attack patterns of the current threat landscape. According to Huntress' 2025 Cyber Threat Report, which draws on telemetry from over three million endpoints, RMM abuse accounted for 17.3% of all remote access methods observed in incidents throughout 2024, and a January 2026 Huntress analysis confirmed that the abuse rate had risen 277% year over year. The numbers reflect a structural shift: attackers aren't just opportunistically using these tools anymore — they're building their entire operational playbooks around them.
Why RMM Tools Are a Threat Actor's Best Friend
The appeal is straightforward. Commercial RMM software comes pre-signed by trusted vendors, meaning it passes signature-based checks without issue. It communicates over standard HTTPS ports, meaning it doesn't trigger network anomaly alerts the way a custom C2 beacon might. It provides full remote desktop access, file transfer capability, shell execution, and persistence via scheduled tasks or services — everything an attacker needs once they're inside a network. And because many organizations legitimately run one or more RMM products, defenders face an immediate triage problem: is this instance authorized, or isn't it?
"RMMs and employee monitoring tools blend in amongst legitimate signed binaries. Delineating which may be malicious and benign at first glance is exceedingly difficult. Adversaries know this as well." — Michael Tigges, Senior Security Operations Analyst, Huntress (via The Register, February 2026)
Intel 471's threat hunting research describes the pattern clearly: threat actors use RMM software to map networks and identify valuable assets, move laterally using harvested credentials, exfiltrate sensitive data, and deploy ransomware. A secondary RMM installation post-compromise has become standard practice to ensure long-term access even if the primary foothold is discovered and removed.
The tools most frequently abused include ConnectWise ScreenConnect, SimpleHelp, AnyDesk, GoTo Resolve (formerly LogMeIn), PDQ Connect, Atera, TeamViewer, NinjaRMM, and ITarian. According to Huntress data, ConnectWise ScreenConnect alone accounted for 74.5% of all observed RMM exploitation in 2024, reflecting both its market prevalence and the sustained targeting of its infrastructure by threat actors.
The Daisy-Chain: Stacking RMMs to Fragment Detection
One of the most tactically significant developments identified in Huntress' January 2026 research is the deliberate chaining of multiple RMM tools within a single intrusion. Rather than relying on a single remote access mechanism, attackers install a primary RMM first, then use it to deploy one or more secondary RMM tools. The explicit goal is to fragment telemetry, distribute persistence across separate channels, and complicate both attribution and containment. If a defender detects and removes the first RMM tool, the second is already operational and the attacker retains access.
Huntress SOC documented this pattern repeatedly throughout the October–January period. In one case, a real estate company employee received a phishing email that led to the installation of a renamed GoTo Resolve binary (Open Revised Contract (2).exe), signed by GoTo Technologies USA. A Windows scheduled task was created immediately for persistence. The attacker then used GoTo Resolve to deploy a ScreenConnect instance configured against an attacker-controlled domain. In a separate incident, an investment firm employee downloaded a file named 276SpecialInvitation9756.msi from a phishing site, which installed PDQ Connect, which was then used to drop SimpleHelp. In a third case, a single intrusion chained GoTo Resolve, ScreenConnect, and SimpleHelp across the same host.
Red Canary and Zscaler corroborated the same pattern in joint research published in September 2025, documenting campaigns deploying ITarian, PDQ, SimpleHelp, and Atera as both primary and secondary access tools. In one documented case, a victim downloaded SimpleHelp from a phishing site, which then immediately connected to an attacker server and installed ScreenConnect — using a certificate that ConnectWise had already explicitly revoked. The revoked certificate status went undetected long enough for the chain to complete.
"The use of a second (and even third or fourth) RMM tool can help ensure longer term access, even if the first tool is blocked." — Huntress Security Operations Center (A Series of Unfortunate RMM Events, December 2025)
In January 2026, Huntress observed a variation that introduced vulnerability management tooling into the chain: threat actors leveraged Action1 — legitimate vulnerability management software — to deploy ScreenConnect clients via Microsoft Installer packages. The approach relies on abusing legitimately signed deployment tooling. Nothing in the execution chain looks obviously malicious to an endpoint agent scanning binary signatures alone.
The MITRE ATT&CK techniques most commonly mapped to RMM daisy-chaining include T1566.001 (Spearphishing Attachment), T1204.002 (User Execution: Malicious File), T1053 (Scheduled Task/Job), T1021 (Remote Services), and T1078 (Valid Accounts). Defenders running detection rules against these technique IDs should specifically tune for RMM binary parents spawning additional RMM child processes, which is a high-fidelity indicator of chaining behavior.
The Lures: Social Engineering That Delivers the Payload
Attackers don't exploit software vulnerabilities to install rogue RMMs in every case — they often don't need to. The delivery mechanism is social engineering, and the lures are designed to look just plausible enough to get a user to double-click an MSI file. Huntress and Red Canary have both documented a consistent set of themes used across campaigns.
Government impersonation is among the most reliable. Campaigns have impersonated the Social Security Administration, the IRS, and federal benefit programs — using phishing sites that mimic government web properties and prompt victims to download a "statement viewer" or "document tool" that is actually an RMM installer. A November 2025 incident involved a user downloading a rogue ITarian installer from ssaaccount-helper[.]icu, a domain spoofing the Social Security Administration. In a separate case documented by Red Canary, a file named capilotmcupdate.msi was delivered from a domain that OSINT confirmed was a fake IRS lure, and it installed PDQ Connect which immediately chained to ScreenConnect.
Party and event invitations have become a second major lure category. Files like Thanksgiving-iv.exe, 276SpecialInvitation9756.msi, and invitatapartyTo.msi appear in incident logs from the October–December 2025 period. Red Canary documented one campaign using the phishing domain go-envitelabel[.]com with a filename of einvite.exe — a SimpleHelp installer that connected to a C2 server and dropped ScreenConnect within seconds of execution.
Infrastructure hosting these phishing pages commonly abuses GitHub repositories and Cloudflare's CDN. Huntress identified GitHub repositories linked to threat actor accounts VH851 and Drasticc that were actively hosting phishing pages with custom CNAME records, giving operators full control over how the lure presented and how the payload was delivered. Cloudflare is used to shield the hosting infrastructure, obscuring backend IP addresses and geographic location from defenders. Phishing pages include client-side JavaScript that checks the visitor's operating system and only serves the MSI payload to Windows users, filtering out security researchers running Linux or macOS.
# Indicators of compromise — GitHub-hosted RMM phishing infrastructure
# Domains associated with VH851 and Drasticc actor accounts (Nov–Dec 2025)
# Source: Huntress threat research, January 2026
ssaaccount-helper[.]icu # Social Security impersonation — ITarian lure
elegantparty[.]de # Party invitation — PDQ Connect lure
go-envitelabel[.]com # E-invite — SimpleHelp lure
support[.]innerschapel[.]com # ScreenConnect C2 domain (actor-configured)
arc.dramaticdream[.]com # Fake IRS site — ScreenConnect lureFrom RMM Access to Ransomware: The Full Kill Chain
Once an attacker has an RMM session on a host, the subsequent steps depend on their goals and skill level, but the patterns documented across multiple research teams show a consistent progression. Reconnaissance comes first — surveying what's running, what credentials are accessible, and whether the compromised host sits near anything valuable on the network. Huntress observed that in TeamViewer-based intrusions, some attackers spent as little as seven and a half minutes on one endpoint before moving to the next, arriving with a specific plan already in place and skipping any attempt at environmental discovery.
Credential access is a primary objective at this stage. The Medusa ransomware group — which as of January 2026 had claimed over 500 victims and prompted a joint CISA/FBI advisory — uses RMM tools extensively for this phase. Darktrace research confirms that Medusa operators use SimpleHelp not only for initial command-and-control but for lateral movement, downloading additional tooling, data exfiltration, and ultimately executing the ransomware binary itself. The group also abuses AnyDesk, ScreenConnect, Atera, PDQ Deploy, Splashtop, TeamViewer, NinjaOne, and MeshAgent in similar roles.
Microsoft Defender Experts documented the escalation pathway in detail through their analysis of 2024–2025 intrusions. In a higher education intrusion, ScreenConnect was exploited for initial access, Impacket and PDQ Deploy were used for lateral movement, Windows Defender was tampered with via registry changes, and Medusa ransomware was deployed on Day 31 of the intrusion. The month-long dwell time underscores how effectively RMM-based persistence can sustain access while an attacker maps and prepares the environment.
Field Effect's February 2025 analysis of a SimpleHelp-based intrusion traced a similarly methodical chain. After exploiting CVE-2024-57727 (path traversal) on a vulnerable SimpleHelp instance, the attacker created an administrator account named sqladmin, deployed the open-source Sliver C2 framework for lateral movement to the domain controller, and then established a Cloudflare tunnel to route traffic through Cloudflare's infrastructure — effectively hiding the C2 channel behind a trusted CDN. Field Effect noted that the tactics overlapped with those previously observed in Akira ransomware attacks, though definitive attribution was not confirmed. The attack was stopped at the tunnel establishment stage; had it continued, additional payloads including ransomware would likely have followed.
AI-Assisted Attacks and the GitHub Infrastructure Problem
Two developments from the December 2025–January 2026 Huntress research period signal where this threat is heading. The first is the involvement of large language models in generating the malicious scripts that RMM tools execute. Huntress identified infostealer scripts delivered via rogue RMM MSI installers whose coding style, comment structure, and syntax patterns were consistent with LLM-generated code. While these scripts successfully parsed browser history for cryptocurrency and financial platform credentials, they often failed to properly implement data exfiltration API calls, leaving harvested data stranded on the local system. The implication is that lower-skilled threat actors are now capable of producing functional infostealing code without deep technical expertise — but with enough rough edges to leave forensic traces when examined closely.
The second development involves attackers registering on the Huntress platform itself to test their tools. During the December 2025 research period, Huntress observed threat actors creating accounts on their own defensive platform, using the access to probe detection thresholds and understand how rogue RMM behavior is characterized. The actors operated from virtual private servers and used browser extensions including email extractors and proxy routers to harvest credentials and maintain operational security, then used purchased credential combo lists to systematically access victim email accounts and linked banking portals. It is a rare instance of researchers gaining direct, first-person visibility into the operational workflow of a threat actor campaign.
On the infrastructure side, Barracuda Networks' December 2025 SOC Threat Radar flagged a separate concern: CVE-2025-3935, a ConnectWise ScreenConnect vulnerability disclosed in April 2025 that allows arbitrary code execution on a server. ConnectWise released a patch the same month, but Barracuda's director of SOC defensive security Eric Russo confirmed that many organizations were still running unpatched versions well into late 2025, with multiple threat groups observed actively exploiting the flaw. Common top-level domains appearing in ScreenConnect C2 traffic — .ru, .icu, and .xyz — have emerged as high-confidence indicators of compromise when observed in RMM outbound connections.
"RMM-based campaigns are very relevant, and from our experience, we observed an uptick of them throughout 2025. Successfully compromising RMM gives threat actors a tremendous amount of power, while having the added benefit of reducing the risk of being detected compared to the usage of hacking tools." — Eric Russo, Director of SOC Defensive Security, Barracuda Networks (MSSP Alert, December 2025)
Key Takeaways
- Audit every RMM instance in your environment: Authorized RMM tools should be inventoried against a known-good list. Any RMM binary not in that list — regardless of its valid vendor signature — warrants immediate investigation. Resources like the LOLRMM project catalog known-abusable RMM tools and can support this process.
- Watch for RMM processes spawning other RMM processes: The daisy-chain pattern is detectable at the process tree level. A GoTo Resolve or PDQ process spawning a ScreenConnect or SimpleHelp installer is a high-fidelity signal that should fire an immediate alert regardless of signature validity.
- Patch aggressively for RMM CVEs: CVE-2024-1709 (ScreenConnect authentication bypass), CVE-2024-57726, CVE-2024-57727, CVE-2024-57728 (SimpleHelp privilege escalation and file traversal), and CVE-2025-3935 (ScreenConnect RCE) have all been actively exploited in documented campaigns. These are not theoretical risks.
- Apply application controls to block unauthorized RMM execution: Allowlisting or application control policies that require RMM tools to run from within an authorized management plane — rather than from user download directories or temp folders — will intercept the delivery stage before a session can be established.
- Treat MSI files arriving from browser downloads with the same scrutiny as executable attachments: The vast majority of RMM lures in current campaigns are MSI files. A user downloading an MSI from an email link or a social media message should be treated as a high-risk event regardless of the filename.
The threat is structural, not incidental. Attackers are not going to stop using tools that are signed, trusted, and already present in target environments. The RMM abuse problem persists because it exploits the fundamental tension between operational convenience and security control — the same tension that makes IT teams reluctant to lock down remote access tools they depend on every day. Defenders who understand exactly how these chains are constructed, from the phishing lure to the second RMM deployment to the Cloudflare tunnel, are in a meaningfully better position to interrupt them before they reach the final stage.
Sources: Huntress — Daisy-Chaining Rogue RMM Tools (January 2026) · Huntress — A Series of Unfortunate RMM Events (December 2025) · Intel 471 — RMM Software Misuse (2025) · Red Canary / Zscaler — Phishing Lures Dropping RMM Tools (September 2025) · Microsoft Defender Experts — Keys to the Kingdom (July 2025) · Darktrace — Medusa Ransomware RMM Abuse (January 2026) · The Hacker News — SimpleHelp RMM Flaws (February 2025) · MSSP Alert — Barracuda ScreenConnect Analysis (December 2025) · The Register — Ransomware via Bossware (February 2026)