Rise in cyberattacks using legitimate RMM tools noted

Proofpoint researchers have noted a significant increase in the use of legitimate remote monitoring and management (RMM) tools as the first-stage payload in email-based cyberattacks.

The research highlights a marked shift from traditional methods that employed large loaders and botnets, a trend likely influenced by the disruption caused by Operation Endgame, a law enforcement action that dismantled major malware infrastructure such as IcedID, Trickbot, and Bumblebee in 2024.

Remote monitoring and management (RMM) tools, such as ScreenConnect and Atera, are designed for IT administrators to remotely manage computer systems. However, cybercriminals are increasingly utilising these tools to gain unauthorised access, steal data, and deploy ransomware. The rise in RMM usage corresponds with a decline in conventional loaders and botnet malware often employed by initial access brokers.

Proofpoint researchers observed a considerable rise in the use of RMM tools in various cybercriminal campaigns throughout 2024, with tools like ScreenConnect, Fleetdeck, and Atera frequently employed. While NetSupport had previously been the most observed RMM, its use has decreased significantly, and other RMM software has gained prominence, a trend that has continued into 2025.

RMM tools are often used as part of a broader attack chain in ransomware operations once initial access is achieved. Their use can involve leveraging existing remote administration capabilities within a compromised environment or installing new RMM software for persistence and lateral movement. Some threat actors use RMM tools during telephone-oriented attack delivery (TOAD) attacks, where victims are instructed to call a phone number that leads to malware installation.

The increased employment of RMM tooling as a first-stage payload directly via email was rare before 2024, but this began changing mid-2024 with ScreenConnect appearing more frequently. This shift aligns with a decrease in loaders and botnets utilised by initial access brokers, many of which have significantly reduced or ceased their activities following Operation Endgame.

One newly designated threat actor, TA583, has notably increased its use of RMM tools, primarily using ScreenConnect in campaigns that impersonate organisations such as the U.S. Social Security Administration. These campaigns range in size from thousands of messages to a smaller number targeting specific individuals. TA583 has moved towards using ScreenConnect as their initial access payload since mid-2024.

Another threat actor, TA2725, operating since 2022, began using ScreenConnect in January 2025, targeting organisations in Mexico through campaigns that deliver malware via energy bill lures.

Proofpoint notes that awareness and defensive measures need to adapt as the use of legitimate RMM tools in cyberattacks increases. Organisations are advised to restrict the download and installation of unapproved RMM tools, implement network detection, and train users to identify and report suspicious activity. This approach aims to mitigate the risks posed by legitimate software being maliciously exploited by threat actors.

Proofpoint anticipates that the trend of using RMM tools as a first-stage payload will continue to grow. These tools are often more acceptable to end users than other malicious software and can evade anti-virus or network detection due to their legitimate usage and signed installers.