Cybersecurity researchers at WithSecure have identified a sophisticated campaign targeting organizations across Europe, with threat actors leveraging legitimate Remote Monitoring and Management (RMM) tools to bypass traditional security defenses.
Since November 2024, the security firm has tracked a notable increase in targeted activities primarily affecting organizations in France and Luxembourg, representing a concerning evolution in social engineering tactics.
PDF-Based Attack Vector Exploits Trust in Legitimate Tools
The attack methodology centers around carefully crafted PDF documents containing embedded direct download links to RMM installers.
These malicious PDFs are distributed through social engineering emails that impersonate legitimate business communications, including invoices, contracts, and property listings tailored to the victim’s industry sector.
“The threat actors either spoof email addresses or register lookalike domains, often impersonating real employees in significant roles from the spoofed organization,” the WithSecure report details.
This sophisticated approach significantly enhances the credibility of phishing attempts and increases success rates.
The embedded links within PDFs point directly to download URLs generated when threat actors register accounts with RMM vendors. These URLs include unique access keys linking installers back to attackers’ accounts.
Since RMM tools serve legitimate IT support functions, this tactic enables threat actors to bypass email security filters and antivirus scans on both attachments and downloaded executables.
WithSecure has observed the deployment of several RMM tools, including FleetDeck, Atera, Bluetrait, and ScreenConnect.
The common factor among these tools is their availability via direct download and immediate operational capability without requiring additional setup or configuration post-installation.
Zendesk Abuse and Geographic Targeting Patterns
Recent campaign evolution includes the abuse of Zendesk as a distribution channel, with threat actors submitting tickets containing malicious PDFs.
This approach leverages trusted platforms typically not associated with phishing delivery to evade email security controls.
The geographic targeting pattern reveals a strategic focus on high-value sectors, including energy, government, banking, and construction industries.
Despite Luxembourg’s small population, its position as having one of the highest GDPs per capita globally makes it particularly attractive to financially motivated threat actors.
Metadata analysis of campaign PDFs reveals diverse creation tools including Microsoft Word, Canva, and ILovePDF, with author fields containing seemingly random names such as “Dennis Block,” “Guillaume Vaugeois,” and “DABA DABA,” suggesting efforts to diversify metadata and evade detection systems.
Organizations can mitigate these threats by implementing application allowlisting, blocking unauthorized RMM installer downloads, monitoring for unusual process chains involving PDF-to-browser-to-executable sequences, and conducting comprehensive user training on social engineering tactics.
The campaign underscores how legitimate software continues to be weaponized for initial access, potentially enabling subsequent ransomware deployment as observed with groups like Black Basta and Conti.
