Remote Mismanagement

Remote Monitoring and Management (RMM) tool abuse has become increasingly prevalent as threat actors continue to swap out traditional payloads for legitimate RMM tools. This is done for several reasons:

1. RMM tools are often deployed and utilized within an environment.
2. These are legitimate tools. They are signed by real companies and tend not to trigger alerts upon execution.
3. Many RMM tools come with silent or unattended installers.
4. Most RMM tools allow for full device control or remote command execution.

Because of this, the use of RMM tools in compromises rose 277% year-over-year in 2025 Huntress.

One of the questions that’s popped up through various incidents, posts, and reports, is the difference between RMM tools and Remote Access Trojans (RATs). They often share similar capabilities, deployment methods, and utilization. Threat actors use both to gain remote access to devices for the purpose of gaining a foothold within the system, executing commands, and exfiltrating data. In some cases, such as TrustConnectAgent, in can be difficult to ascertain the legitimacy of a tool.

RATs vs RMMs

So, what’s the difference? If RATs are sold as RMMs, and RMMs function like RATs, what separates them? The answer is largely intent, control, and deployment.

As Red Canary puts it, “The primary difference between a ’trojan’ and a ’tool’ is whether or not your organization still has control over the software”. Take ScreenConnect for instance. It is a legitimate tool, often used by organizations for monitoring and management devices. However, in the hands of a threat actor, it is used to gain illegitimate access to devices.

In a typical deployment, a workstation or endpoint team may deploy RMM tools via GPO, Intune, or other method. This is an organizationally controlled deployment. The organization retains control of the installation, the users, and the devices it deploys too. In a threat actor’s hands, deployment looks quite different.

Often, but not always, threat actor deployment of RMM tools starts with phishing. Take this ScreenConnect deployment for example, SSA AI Phishing. In this incident, a threat actor created a phishing lure and page mimicking the Social Security Administration.

The “statement” downloaded by unsuspecting users, was in fact a ScreenConnect installer.

The other major deployment method is, of course, ClickFix. ClickFix has been thoroughly discussed on this blog before, and I recommend reading through ClickFix - An Overview and Click, Paste, Compromise for more information on that type of deployment and abuse.

RMM Abuse

LOLRMM is a great resource for tracking RMM abuse. It’s a project that compiles 314 different RMM tools (as of writing). LOLRMM shares basic detection logic, lists of domains and installer names, and for certain confirmed abused tools, specific detection information.

Ransomware

A significant number of threat actors have migrated to RMM abuse as an initial access vector. Specifically, many ransomware operators have begun using RMM tools to stage their operations. Huntress released, in their “2026 Cyber Threat Report”, a section detailing the use of RMM abuse in ransomware operations. Included in that is this graph of the Time to Ransomware (TTR) activity based on RMM execution.

Specifically, Huntress found that certain RMM tools were abused by ransomware operators with different levels of urgency. For example, RustDesk and Atera had high velocity conversions from RMM execution to ransom.

Regardless of the speed of exploitation post-RMM execution, the trend is clear; RMM tool abuse is spiking amongst ransomware actors.

Other vendors have also noticed this trend. Zensec observed Medusa and DragonForce ransomware groups compromising and abusing SimpleHelp RMM platforms in early 2025. In these incidents, a vulnerability in the SimpleHelp platform allowed ransomware actors to gain control of the platform, utilizing the RMM tool to gain access to downstream environments. Huntress observed similar events from LockBit exploiting Bomgar platforms to access downstream customers as well, with LockBit additionally deploying AnyDesk on devices they accessed. TrendMicro has also released a report detailing Qilin’s use of AnyDesk, ScreenConnect, and SplashTop.

General Compromise

ReliaQuest also observed an increase in RMM tool abuse during all incidents between 12/2025 and 02/2026. Specifically noting that the increase in BeyondTrust (formerly Bomgar) was related to CVE-2026-1731, a pre-auth RCE widely exploited in the wild.

From my own standpoint, phishing lures attempting to deploy RMM tools have steadily increased. Styled after invitations such as “Invite Phishing”, “You’re Invited”, and “Fake Party”, these phishing lures claim that the victim has been sent an invite to a meeting, party, or some other event. The goal of these lures is to trick victims into downloading RMM installers.

These campaigns rotate through RMM tools, with LogMeIn Resolve, ScreenConnect, Atera, and PDQConnect being observed as payloads in my own, and other’s environments.

APT Abuse

Ransomware operators and opportunistic phishers aside, Advanced Persistent Threat (APT) groups have also increasingly used RMM tools to gain access to organizational environments.

2024

ESET observed Sandworm abusing Atera Agent in late 2024, using the tool in early stages in the compromise of several energy companies in Ukraine leading to the deployment of ZERLOT, a wiper malware. Similarly, they also observed MuddyWater deploying RMM tools from Atera, Level, PDQ, SimpleHelp, Syyncro, and Tactical, via spear phishing.

ProofPoint also observed MuddyWater (TA450) deploying RMM software via ClickFix in November 2024.

2025

Microsoft Threat Intelligence observed North Korean state actor Emeral Sleet (Kimsuky/Velvet Chollima) using ClickFix adjacent lures to deploy a browser-based remote desktop tool in February, 2025.

Microsoft Threat Intelligence released another report on RMM abuse. This time by Seashell Blizzard, a Russia-aligned actor. The group utilized Atera and SplashTop RMM tools for persistence and command and control activities.

Microsoft Threat Intelligence also released a report on Jasper Sleet (formerly Storm-0287), a North Korean activity cluster associated with the “IT remote worker” activity. This cluster was observed using RMM tools to connect to facilitator devices. The actors installed the RMM software to the facilitator device. Microsoft identified JumpConnect, TinyPilot, Rust Desk, TeamViewer, AnyViewer, and Anydesk software used in connection with this activity.

Group-IB released a report on MuddyWater activity in October, detailing MuddyWater’s use of PDQ and Action1 RMM tools. The RMM tools were identified on actor-controlled command and control servers.

eSentire discovered an ongoing, long-term, espionage campaign targeting residents of India in December 2025. This activity culminated in the deployment of SyncFuture TSM, a security management platform with RMM capabilities. The APT deploying this campaign is unknown, but the activity is consistent with APT operations.

2026

In March, 2026, eSentire reviewed an open directory associated with MuddyWater. They found evidence of continued abuse of RMM tools by MuddyWater. Specifcally, they found MuddyWater leveraging AnyDesk for persistent remote access.

Unit42 released a report identifying the exploitation of Mobile Device Management (MDM) and RMM platforms as a primary attack vector for MOIS and IRGC APT groups in 2026. Specifically, compromising high-profile accounts with access to these platforms.

Sekoia also found abuse of SyncFuture TSM by China-aligned APT group Silver Fox. The APT group deployed the RMM between December 2025 and February 2026. The group primarily targeted Taiwan during the national tax audit window. However, the group also targeted other entities in more opportunistic campaigns.

Future campaigns

APT groups, particularly nation state actors, have increased their usage of RMM tools in the past year. This trend is likely to continue escalating as more groups adopt RMM-based tactics. While the above list is not comprehensive, it does demonstrate the increasing utilization and abuse of RMM tools and platforms by APT groups.

The evolution of these tactics, the continued usage of new RMM tools, such as SyncFuture TSM, and the high success rates of phishing, ClickFix, and other social-engineered deployments of these RMM tools, all but ensure that RMM abuse is here to stay.

Detecting RMM Abuse

Detecting RMM abuse is difficult. Depending on the organization, varying RMM tools may be legitimately deployed. This causes detection to be more complex than a simple block list. Detecting malicious ScreenConnect instances when ScreenConnect is legitimately deployed in the environment is incredibly difficult. Some organizations may use multiple RMM tools across different teams, agencies, or purposes, adding to the detection complexity.

The solution then is to detect deployment rather than execution. A legitimate deployment of PDQ is not going to start with a copy/pasted command. AnyDesk isn’t going to come delivered from a random domain name after a Teams installer.

Of course, many tools can be simply blocked. If an organization doesn’t use RustDesk, they can simply block it. This can be done multiple ways. I’m personally a fan of creating EDR rules for detecting and blocking applications of a certain type. These detection methods are rudimentary, but often easy to implement.

LOLRMM has prebuilt lists of RMM tools, including domains. They also have a series of detection queries for different security platforms, like Defender and Splunk. These queries can be a great starting point for developing in-house detection processes.

// Taken from lolrmm.io
// Detecting Unauthorized RMM Instances in Your MDE Environment
let ApprovedRMM = dynamic(["nomachine.com", "ivanti.com", "getgo.com"]); // Your approved RMM domains
let RMMList = externaldata(URI: string, RMMTool: string)
    [h'https://raw.githubusercontent.com/magicsword-io/LOLRMM/main/website/public/api/rmm_domains.csv'];
let RMMUrl = RMMList
| project URIClean = case(
    URI startswith "*.", replace_string(URI, "*.", ""),
    URI startswith "*", replace_string(URI, "*", ""),
    URI !startswith "*" and URI contains "*", replace_regex(URI, @".+?*", ""),
    URI
    );
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where ActionType == @"ConnectionSuccess"
| where RemoteUrl has_any(RMMUrl.URIClean)
| where not (RemoteUrl has_any(ApprovedRMM))
| summarize arg_max(Timestamp, *) by DeviceId

Remediation

Remediation for confirmed compromises can go multiple ways. The most important thing when identifying a potential RMM related incident, is to immediately quarantine the affected device. This is to prevent any further threat actor access. Following that, standard remediation and response policies can be followed. This includes confirming the initial activity, actions taken by the actor, and any potential exfiltration of data. Often, the easiest solution is to quarantine, analyze, re-image.

Prevention

Prevention is difficult. Tying into detections, you cannot prevent what you cannot detect. Prevention starts with robust detection methodology. Largely, this is phishing and ClickFix defenses, user training, and accepting that not all incidents can be prevented. Ensuring that systems and accounts follow least privilege and other standards is often the best that defenders can do. Compromise will happen. The best play is to prepare for it, have playbooks ready to go, and to establish policy and procedures for the inevitable.

Final Notes

RMM abuse is clearly here to stay. Legitimate tools are abused by APT actors, ransomware gangs, opportunistic actors, and everyone in between. Social engineering campaigns utilizing these tools see high success rates and detection methodology for RMM abuse is lacking. Returning to that 277% year-over-year number, it is likely that 2026 will see even higher levels of RMM abuse. Threat actors can offload command and control development to legitimate vendor infrastructure, using vendor tools to bypass security policies. With the recent RMM platform vulnerabilities, threat actors not only gain access to a single device or organization, but they also gain footholds into all downstream organizations. Discussing RMM abuse and finding solutions to the ever-evolving problem of legitimate tool abuse will be critical as campaigns and abuse continue to evolve.

I highly recommend reading through the linked reports and sources in this post. There’s a lot of great information I abbreviated or didn’t cover for the sake of conciseness. Thanks to all the linked vendors for doing great work.

Also, read my posts on RMM abuse too!

And keep an eye out for my talk, Remote Mismanagement: A Guide to RMM Abuse! In the words of the great Yoshi-P, please look forward to it.