RMM Tools (Syncro, SuperOps, NinjaOne, etc.) Being Distributed Disguised as Video Files
Summary:
ASEC identified an ongoing campaign in which threat actors abuse legitimate Remote Monitoring and Management (RMM) tools, including Syncro, ConnectWise ScreenConnect, NinjaOne, and SuperOps, to gain persistent remote access to victim systems, primarily via phishing. The attacks use lure-themed PDF files (e.g., invoices, orders, payments) likely delivered by email, which display deceptive messages or errors that redirect users to fake Adobe or Google Drive–themed pages hosting disguised downloads (e.g., files masquerading as MP4 videos). These downloads install RMM tools signed with a valid certificate, allowing the attackers to evade traditional security detection and remotely control infected systems. Analysis of shared signing certificates, configuration parameters, and infrastructure indicates the same threat actor has been conducting similar activity since at least October 2025, with some samples also acting as downloaders to fetch additional payloads.
Security Officer Comments:
RMM tools are commonly employed by threat actors because they are legitimate, trusted administrative applications designed for remote access and system management, allowing attackers to blend malicious activity into normal IT operations. Since RMM software is widely used by enterprises and managed service providers, it is typically allowed through firewalls and less likely to be flagged or blocked by endpoint security solutions, enabling “living-off-the-land” abuse without deploying traditional malware. Ransomware actors in particular have favored RMM tools because they provide stealthy access for lateral movement, credential harvesting, payload deployment, and hands-on-keyboard operations prior to encryption. Overall, the deployment of RMM tools by adversaries complicates incident response, as defenders must distinguish between legitimate administrative activity and attacker-controlled sessions.
Suggested Corrections:
When opening emails from unknown sources, users must be extra cautious. It is important to verify if the sender is trustworthy and to not open suspicious links or attachments. Users should also update their operating system and security products to the latest version to protect themselves from known threats.
Link(s):
https://asec.ahnlab.com/en/91995/
ASEC identified an ongoing campaign in which threat actors abuse legitimate Remote Monitoring and Management (RMM) tools, including Syncro, ConnectWise ScreenConnect, NinjaOne, and SuperOps, to gain persistent remote access to victim systems, primarily via phishing. The attacks use lure-themed PDF files (e.g., invoices, orders, payments) likely delivered by email, which display deceptive messages or errors that redirect users to fake Adobe or Google Drive–themed pages hosting disguised downloads (e.g., files masquerading as MP4 videos). These downloads install RMM tools signed with a valid certificate, allowing the attackers to evade traditional security detection and remotely control infected systems. Analysis of shared signing certificates, configuration parameters, and infrastructure indicates the same threat actor has been conducting similar activity since at least October 2025, with some samples also acting as downloaders to fetch additional payloads.
Security Officer Comments:
RMM tools are commonly employed by threat actors because they are legitimate, trusted administrative applications designed for remote access and system management, allowing attackers to blend malicious activity into normal IT operations. Since RMM software is widely used by enterprises and managed service providers, it is typically allowed through firewalls and less likely to be flagged or blocked by endpoint security solutions, enabling “living-off-the-land” abuse without deploying traditional malware. Ransomware actors in particular have favored RMM tools because they provide stealthy access for lateral movement, credential harvesting, payload deployment, and hands-on-keyboard operations prior to encryption. Overall, the deployment of RMM tools by adversaries complicates incident response, as defenders must distinguish between legitimate administrative activity and attacker-controlled sessions.
Suggested Corrections:
When opening emails from unknown sources, users must be extra cautious. It is important to verify if the sender is trustworthy and to not open suspicious links or attachments. Users should also update their operating system and security products to the latest version to protect themselves from known threats.
Link(s):
https://asec.ahnlab.com/en/91995/