Threat actors are increasingly abusing legitimate Remote Monitoring and Management (RMM) tools—such as LogMeIn, PDQ Connect, Syncro, ScreenConnect, NinjaOne, and SuperOps—to distribute malware and establish persistent remote access. Initial delivery often occurs through malicious download pages or phishing emails, followed by PowerShell-driven execution and deployment of secondary payloads like the PatoRAT backdoor. AhnLab EDR can detect the execution of these RMM utilities and generate behavior-based alerts around suspicious follow-on activity. The report underscores the importance of validating software provenance and maintaining continuous endpoint monitoring.
AhnLab Security Intelligence Center observed multiple campaigns in which attackers repackaged or masqueraded RMM installers as popular applications (for example, Notepad++, 7-Zip, and Telegram) and delivered them via malicious websites or phishing attachments. After installation, the RMM agents registered to their vendor infrastructure and were then used to run PowerShell payloads that dropped PatoRAT. Similar tradecraft appeared across several RMM products, including Syncro delivered through phishing with PDF lures. AhnLab EDR detection logic was developed to flag execution of these otherwise legitimate binaries and correlate it with post-install behaviors.
Verify download sources, validate code-signing certificates, and compare hashes against official vendor releases before allowing RMM software in the environment. Enforce application allow-listing and require explicit approvals for RMM execution. Monitor for unexpected RMM binary launches, anomalous PowerShell activity, and suspicious connections to vendor infrastructure domains when such tools are not sanctioned. Keep operating systems and security tooling updated to reduce exposure.
When a suspected RMM execution is detected, isolate the host, collect forensic artifacts, and remove the unauthorized binary. Block outbound connections to the tool’s infrastructure to cut off remote control channels, and perform a full scan for secondary payloads such as PatoRAT. Update detection content with observed IOCs and brief the SOC on the campaign patterns for faster triage.
