Cybercriminals are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools to gain unauthorized access to systems, maintain persistence, and evade detection. These tools, designed for IT administrators to manage and monitor networks remotely, are being repurposed by attackers to infiltrate networks and move laterally within them.
Commonly abused RMM applications include AnyDesk, TeamViewer, ScreenConnect, Quick Assist, and Splashtop. Their widespread use in organizations for legitimate purposes makes malicious activities involving these tools particularly challenging to detect.
Methods of Exploitation
Attackers often gain initial access to RMM software by compromising user credentials through social engineering tactics or by exploiting vulnerabilities in outdated software. In some instances, they create additional accounts within the RMM platform to maintain access even if the original credentials are reset.
A notable tactic involves impersonating IT support personnel. For example, attackers may flood an employee’s inbox with spam and then call the victim, posing as internal IT support. They offer to install “antispam software,” persuading the employee to install remote access software like AnyDesk, thereby granting the attackers direct system access.
Case Studies
The Black Basta ransomware group, which emerged in April 2022, has been particularly adept at leveraging RMM tools. Leaked chat messages from February 2025 reveal that this Russian-speaking cybercrime group regularly uses RMM tools as a key component of their attack chain.
Similarly, the Iranian state-sponsored threat actor MuddyWater has been observed exploiting the Atera Agent, a legitimate RMM tool, to conduct sophisticated malware delivery campaigns. This tactic has been part of their modus operandi since at least 2021.
Implications and Recommendations
The abuse of legitimate RMM tools by threat actors underscores the need for organizations to implement stringent security measures. Regularly updating software, conducting thorough employee training on social engineering tactics, and monitoring for unusual activity within RMM platforms are crucial steps in mitigating these threats.
As cybercriminals continue to evolve their tactics, leveraging trusted tools to bypass traditional security measures, organizations must remain vigilant and proactive in their cybersecurity efforts.
