Threat Intel - Remote Management Software Abuse Explained
Basically, hackers are using remote management tools to sneak into systems and stay hidden.
Cybercriminals are increasingly exploiting remote management tools for initial access and persistence. This trend poses serious risks to organizations, complicating detection and response efforts. Vigilance and proactive measures are essential to combat this growing threat.
The Threat
The abuse of remote monitoring and management (RMM) tools has surged dramatically, becoming a common tactic among threat actors. In 2025, RMM abuse accounted for 24% of all cyber incidents, reflecting a 277% increase from previous years. This alarming trend indicates that attackers are moving away from traditional hacking methods, opting instead to leverage legitimate software for malicious purposes. This blog explores how these actors daisy-chain RMM tools to enhance their operations, making it harder for organizations to detect and respond to their activities.
Who's Behind It
Threat actors abusing RMM tools range from low-skilled individuals to well-established groups. These actors often utilize rogue MSI installers to gain initial access to target systems. For instance, some have been observed using large language model (LLM) generated scripts to identify valuable user accounts by parsing browser histories for references to financial platforms like QuickBooks and Coinbase. While the intent is clear, the execution often lacks sophistication, revealing a mix of skill levels among these attackers.
Tactics & Techniques
One common tactic involves daisy-chaining RMM tools, where attackers use multiple software solutions to fragment telemetry and complicate attribution. For example, they might deploy ScreenConnect via legitimate deployment tools like Action1, creating persistent access points. This method not only helps in maintaining control over compromised systems but also aids in evading detection by security measures. Attackers have even been seen leveraging GitHub repositories to host phishing infrastructure, showcasing a deliberate approach to their operations.
Defensive Measures
Organizations must be vigilant in their defense against these evolving tactics. Regularly updating and patching software can mitigate vulnerabilities that RMM tools exploit. Additionally, implementing strict access controls and monitoring for unusual activity can help detect potential abuses early. Training employees to recognize phishing attempts and suspicious downloads is also crucial. As threat actors continue to refine their methods, staying informed and prepared is essential for maintaining cybersecurity resilience.
Huntress Blog