In recent months, cybersecurity researchers have observed a surge in ransomware gangs weaponizing legitimate Remote Monitoring and Management (RMM) tools to compromise organizations and steal sensitive data.
For IT teams, RMM solutions are indispensable for remotely managing corporate systems yet that same trust and capability is increasingly exploited by cybercriminals, making these tools a significant attack vector in the enterprise landscape.
The Double-Edged Sword of RMM Tools
RMM solutions such as AnyDesk, ScreenConnect, PDQ Deploy, and SimpleHelp offer IT teams broad, remote access and control capabilities.
These features, designed for productivity and streamlined management, are also the very attributes that make RMM tools attractive to threat actors.
Recent cyber forensic investigations from late 2024 through early 2025, spanning multiple organizations in the US and UK, revealed a recurring pattern: ransomware gangs systematically abuse these tools not just for initial access, but for deep persistence, lateral movement, and covert data exfiltration.
Unlike traditional malware, RMM applications often blend into regular network activity. Operating as trusted and sometimes pre-installed software, their dual-use nature allows attackers to bypass many standard security controls.
Ransomware gangs, such as Hunters International and Medusa, have demonstrated proficiency in leveraging multiple RMM tools simultaneously, both to increase resilience and lower the odds of triggering defense mechanisms.
In one high-profile incident, the Hunters International group targeted a UK-based manufacturing firm.
They installed AnyDesk and ScreenConnect from reputable sources, maintaining undetected access for over a month before initiating the encryption of ransomware.
Analysis revealed that these sessions utilized hidden operation modes and encrypted communication channels, rendering detection difficult for conventional monitoring solutions.
Attack Chain: From Phishing to Persistence
The RMM attack lifecycle often starts with a targeted phishing campaign.
In a recent proof-of-concept demonstration, a phishing email containing a malicious LNK file launched a PowerShell command, which activated AnyDesk and established a covert session with the attacker.
With legitimate RMM software already authorized on the network, attackers could exploit built-in features such as stealth terminal sessions, file transfers, and script execution with little risk of immediate detection.
Monitoring tools like Cato XDR have helped incident response teams identify unusual RMM activity by flagging first-time or WAN-bound connections, but distinguishing between authorized and malicious admin actions remains a significant challenge for defenders.
Defending Against RMM Exploitation
To mitigate the threat, organizations are urged to track and audit all RMM usage, allowlist approved tools, restrict privileges, and enforce robust authentication for RMM access.
Continuous behavioral monitoring and anomaly detection are crucial for identifying abuse amid routine IT operations.
As attackers evolve their tactics, the line between IT support and intrusion grows ever blurrier. Only by pairing strong technical controls with contextual security analysis can enterprises safely harness RMM solutions and keep ransomware gangs at bay.
