Hackers increasingly abusing RMM software for nefarious purposes

Hackers increasingly abusing RMM software for nefarious purposes

Threat actors are increasingly misusing legitimate remote monitoring and management (RMM) software to conduct phishing scams and other malicious activity, according to a joint security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

According to the advisory, at least two federal agencies in the United States fell victim to a “widespread cyber campaign” where threat actors used phishing emails that led to download of legitimate RMM software, namely ScreenConnect (now ConnectWise Control) and AnyDesk, which was then used in a refund scam and subsequent theft of money from victim bank accounts.

CISA notes that this financially motivated phishing campaign is related to malicious typosquatting activity reported by Silent Push in October 2022.

While the observed attacks, which took place in mid-June and mid-September 2022, appear to be financially motivated, threat actors could weaponize the unauthorized access for other nefarious purposes, including selling that access to other hackers.

“Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors,” the security agencies said. “This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).”


Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025