Security researchers recently documented several cases of threat actors abusing remote management & monitoring (RMM) tools to facilitate their operations, including several cases where actors used multiple distinct tools/platforms at once to provide redundancy after gaining initial access. This week's “Trending & Emerging Threats” Threat Profile update includes a new Campaign object covering these cases.
This update serves as a reminder of the trend of RMM abuse generally, but also the importance of staying up to date with a) real-world attack patterns (e.g. increased use of multiple RRMs), and b) the latest specific RMM tools that adversaries are leveraging during their operations. Tidal users can find all 40+ tools currently labeled with an “RMM” Tag via the Tag Manager, while a corresponding curated Threat Profile is available to Enterprise Edition users, which spotlights the most recently updated and prevalent of these objects.
12/29/25: Deliver Rogue RMM Installer via Phishing Email Lure
- PS1032129: Deliver Rogue RMM Installer via Phishing Email Lure
- Threat actors send phishing emails with lures (such as contract revisions, bid transcripts, holiday invitations, or social security account statements) to trick users into downloading and executing rogue RMM installers.
Threat-Led Defense commentary: Successful defense against spearphishing (e.g. via user awareness & training and email security tools) can mitigate downstream risks posed by threat actor RMM abuse.
- PS1032233: Use Initial RMM Access to Deploy Secondary RMM Tool
- After gaining access via an initial RMM (GoTo Resolve, PDQ, or ITarian), threat actors use that access to install a secondary RMM tool for redundancy and persistence.
Threat-Led Defense commentary: This Procedure Sighting spotlights the trend recently highlighted by researchers, where adversaries use an initial RMM tool to ingress other RMMs for persistence purposes. Protection can come in the form of asset inventory and application controls to cover approved RMMs (and blocking of unauthorized programs).