How Threat Actors Leverage Remote Monitoring and Management Software

Jeremy Kirk, the Executive Editor for Cyber Threat Intelligence at Intel 471, explains how threat actors can leverage remote monitoring and management (RMM) software solutions. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Remote monitoring and management (RMM) applications, such as AnyDesk, Atera Agent, ScreenConnect, and TeamViewer, are powerful and useful tools for administrators who do not have on-site, physical access to machines. Organizations frequently rely on RMM software for essential information technology (IT) tasks, such as system updates, asset management, software deployment, endpoint troubleshooting, and maintenance scheduling.

Unsurprisingly, threat actors find these RMM tools useful as well and are increasingly leveraging them to gain access to networks, install malware, disable security features, and escalate privileges. Detecting malicious actions using RMM tools, unfortunately, is difficult because they are so widely used and deeply integrated into IT workflows. RMM is legitimate software, so these applications are unlikely to be flagged as malware. Abusing RMM tools offers a distinct advantage over remote access tools (RATs), which are custom-designed malware tools that need to employ other techniques, such as valid signing certificates, to avoid being flagged by security software.

RMM software abuse is not a new technique, but it registered at a persistent level throughout 2024, and we anticipate this trend to continue in 2025.

How RMM Tools Are Exploited

Threat actors frequently can gain access to RMM software by initially compromising RMM user credentials through social-engineering tactics or by exploiting vulnerabilities in outdated software. This allows attackers to use a preinstalled tool, thus potentially attracting less attention when misusing it. In some cases, attackers will take proactive steps to preserve their illicit access to an RMM tool. This can include creating additional accounts for RMM software in case it is discovered that account credentials have been compromised and are reset.

Attackers also may social-engineer victims into installing RMM software under misleading pretenses. This scheme has often manifested as a bogus request from an organization’s IT department to solve a problem. An employee who wants to take the right action may comply, installing the software and then allowing access to the attackers. Attackers can then use RMM software to map the network and identify valuable assets. They typically move laterally using credentials harvested from compromised systems to exfiltrate sensitive data, deploy ransomware, or launch further attacks against downstream clients.

To ensure long-term access or facilitate additional malicious activities, threat actors often install additional RATs to maintain persistent access. These tools can serve as backups for remote desktop sessions or establish reverse connections to adversary-controlled servers, leading to widespread operational disruptions, significant financial losses, and potential supply chain vulnerabilities.

Ransomware Group in Focus: Black Basta

The Black Basta ransomware group emerged in mid-April 2022 and evolved into the third most impactful ransomware group that year. Its members are experienced Russian-speaking ransomware and cyber-crime veterans, some of whom worked with the infamous Conti ransomware-as-a-service (RaaS) group. In February 2025, a leaker released about 197,000 messages from different Matrix chatrooms the Black Basta group used. The leak provided deep insight into the group’s tactics, techniques, and procedures (TTPs), including how it gained initial access to victims and networks using RMM software.

The group ran a sophisticated operation, researching organizations it thought might pay a ransom and compiling lists in Google Sheets of individual employees it planned to target. In one scenario, an employee would be targeted in a spam attack that would fill the person’s inbox. Then, someone from Black Basta would call the person and—reading from a pre-drafted script—impersonate an IT support member from the victim’s organization. The attacker would offer to install antispam software on the user’s machine, but in order to do that, the victim needed to install remote access software such as AnyDesk, Quick Assist, or TeamViewer.

After the victim installed the software, Black Basta would contact one of its malicious penetration testers, who would then try to install additional malware to enable persistent access. The pentester would provide a code the victim was supposed to enter on the computer, allowing the pentester to establish another foothold. The leaked chat messages did not reveal what malware was used to obtain persistent access.

However, one member claimed to run a batch (.bat) file that prompted the employee to enter credentials for the corporate virtual private network (VPN) portal. These credentials would then allow Black Basta’s actors to access the domain network, advancing the data exfiltration and ransomware attack by one more step.

Defensive Mitigations

To mitigate the escalating risks associated with RMM tools, a comprehensive defense strategy is critical. Detection efforts should include deploying endpoint detection and response (EDR) platforms, conducting network traffic analysis, and utilizing behavior-based intrusion detection systems (IDSs) that are tuned specifically to recognize RMM-related activities. It is also vital to enforce stringent application listing, which would prohibit users from installing RMM software as a result of falling prey to a social engineering campaign.

Only vetted, preapproved RMM software that has tight access controls should be used across the organization to minimize the attack surface. Lastly, security teams are advised to undertake threat-hunting exercises routinely to detect early signs of misuse, such as anomalous network connections or other suspicious activities that may suggest unauthorized access.

For example, AnyDesk is a common and widely utilized tool for remotely controlling machines. However, many actors have also adopted it to remotely access victim machines and deploy malware or ransomware payloads. Threat actors may install AnyDesk but put its executable in an uncommon directory, such as the ProgramData and System32 temporary directories, in an attempt to hide it.

Additionally, to appear more legitimate, some attackers may utilize installation paths that include legitimate-sounding names, such as “Microsoft Management” or “Customer Service.” These types of behaviors, drawn from threat intelligence based on real attacks, can be used in threat hunts that search security information and event management (SIEM) or other logging systems that may have recorded the malicious activity, allowing an organization to undertake incident response to remove the threat.

By integrating these measures—enhanced detection capabilities, strict access management, and proactive threat hunting—organizations can more effectively stay ahead of adversaries who seek to exploit RMM tools.