Four Phishing Lures in Campaigns Dropping RMM Tools
Summary:
Red Canary and Zscaler researchers observed multiple campaigns abusing legitimate Remote Monitoring and Management tools, including ITarian, PDQ Connect, SimpleHelp, and Atera for covert remote access. These tools, normally used by IT admins, are exploited by adversaries to blend into normal operations and establish persistent access. Common phishing lures included fake browser updates, meeting invites, party invitations, and fraudulent government forms. In some cases, adversaries deployed two RMM tools in rapid succession for redundancy. The fake browser update campaigns involved injected JavaScript with overlay iframes, device filtering, and data exfiltration to C2 domains that resembled WP-Panel dashboards, with indications of possible Russian infrastructure. ITarian payloads were observed sideloading malicious DLLs, dropping infostealers like HijackLoader and DeerStealer, and establishing persistence.
Meeting and party lures impersonated Teams, Zoom, or e-invite apps, dropping Atera, PDQ, and ScreenConnect installers often hosted on trusted platforms like Cloudflare R2. Government form lures mimicked IRS and Social Security documents, frequently delivering PDQ and ScreenConnect payloads. Several cases used revoked certificates and masquerading installers to evade suspicion. Overall, these campaigns demonstrate adversaries’ reliance on living-off-the-land tactics using trusted tools, cloud services, and social engineering to enable ransomware and credential theft.
Security Officer Comments:
These campaigns highlight a growing adversary reliance on dual RMM deployments, where two tools are installed in quick succession to guarantee persistence even if one foothold is removed. The abuse of trusted platforms such as Cloudflare R2 for hosting payloads, Telegram for exfiltration, and signed binaries for sideloading underscores the ongoing trend of living off trusted sites and software to bypass detection. The delivery of infostealers like HijackLoader and DeerStealer as part of these operations strongly suggests that RMM-based compromises often act as staging grounds for ransomware and broader intrusion campaigns.
Suggested Corrections:
Red Canary and Zscaler researchers recommend the following mitigations:
Enhance endpoint visibility
Monitor RMM tools
Enhance network visibility
https://redcanary.com/blog/threat-intelligence/phishing-rmm-tools/
Red Canary and Zscaler researchers observed multiple campaigns abusing legitimate Remote Monitoring and Management tools, including ITarian, PDQ Connect, SimpleHelp, and Atera for covert remote access. These tools, normally used by IT admins, are exploited by adversaries to blend into normal operations and establish persistent access. Common phishing lures included fake browser updates, meeting invites, party invitations, and fraudulent government forms. In some cases, adversaries deployed two RMM tools in rapid succession for redundancy. The fake browser update campaigns involved injected JavaScript with overlay iframes, device filtering, and data exfiltration to C2 domains that resembled WP-Panel dashboards, with indications of possible Russian infrastructure. ITarian payloads were observed sideloading malicious DLLs, dropping infostealers like HijackLoader and DeerStealer, and establishing persistence.
Meeting and party lures impersonated Teams, Zoom, or e-invite apps, dropping Atera, PDQ, and ScreenConnect installers often hosted on trusted platforms like Cloudflare R2. Government form lures mimicked IRS and Social Security documents, frequently delivering PDQ and ScreenConnect payloads. Several cases used revoked certificates and masquerading installers to evade suspicion. Overall, these campaigns demonstrate adversaries’ reliance on living-off-the-land tactics using trusted tools, cloud services, and social engineering to enable ransomware and credential theft.
Security Officer Comments:
These campaigns highlight a growing adversary reliance on dual RMM deployments, where two tools are installed in quick succession to guarantee persistence even if one foothold is removed. The abuse of trusted platforms such as Cloudflare R2 for hosting payloads, Telegram for exfiltration, and signed binaries for sideloading underscores the ongoing trend of living off trusted sites and software to bypass detection. The delivery of infostealers like HijackLoader and DeerStealer as part of these operations strongly suggests that RMM-based compromises often act as staging grounds for ransomware and broader intrusion campaigns.
Suggested Corrections:
Red Canary and Zscaler researchers recommend the following mitigations:
Enhance endpoint visibility
- Deploy detection and response sensors across systems
Monitor RMM tools
- Maintain an approved tools list and monitor or deny unauthorized RMM tools
- Legitimate tools can be exploited—know what’s in your environment
Enhance network visibility
- Consider implementing additional preventive or monitoring controls for trusted services like Cloudflare R2 object storage domains. This includes measures like enforcing browser isolation when these domains deliver files with suspicious extensions (e.g., MSI, EXE, PS1). For more information about Cloudflare abuse and detection opportunities, please consult the Zscaler Threat Hunting report.
- Monitor for suspicious newly registered domains, especially those with cheap TLDs
https://redcanary.com/blog/threat-intelligence/phishing-rmm-tools/