What is RMM tool abuse in cybersecurity?

RMM tool abuse refers to adversaries weaponizing legitimate Remote Monitoring and Management software such as AnyDesk, ConnectWise ScreenConnect, TeamViewer, and Atera to gain unauthorized access, establish persistent command-and-control channels, and move laterally through victim networks. Because these tools are digitally signed and commonly used by IT administrators, their malicious use often bypasses endpoint detection and application whitelisting controls.

Which threat actors abuse RMM tools?

Prominent threat actors known to abuse RMM tools include Scattered Spider (UNC3944), VOLT TYPHOON (a PRC state-sponsored group), LockBit ransomware affiliates, Akira ransomware operators, and the Lazarus Group (DPRK). These actors span the spectrum from financially motivated cybercriminals to nation-state espionage units.

How can organizations detect RMM abuse?

Organizations can detect RMM abuse by monitoring for unauthorized RMM tool installations, flagging after-hours remote access sessions, detecting RMM executables running from non-standard file paths (such as user Temp or Downloads directories), tracking anomalous network connections to RMM vendor infrastructure, and correlating RMM process execution with user authentication events. SIEM rules should alert on any RMM tool not in the organization's approved software inventory.

Living Off the Land: Threat Actor Abuse of RMM Tools

Remote Monitoring and Management (RMM) tools have become one of the most consistently abused classes of legitimate software in the modern threat landscape. Nation-state actors, ransomware syndicates, and financially motivated cybercriminals are systematically weaponizing tools like AnyDesk, ConnectWise ScreenConnect, and TeamViewer to bypass security controls, establish persistent access, and deliver devastating payloads. This report provides a comprehensive analysis of the threat, the actors involved, their methodologies, and actionable detection and defense strategies.

Executive Summary

The abuse of legitimate Remote Monitoring and Management (RMM) software represents one of the most significant and underappreciated threats to enterprise security today. Adversaries exploit the inherent trust that organizations place in these tools — trust rooted in their legitimate administrative purpose, their digitally signed binaries, and their ubiquitous presence in managed IT environments. This trust creates a systemic blind spot that threat actors of all sophistication levels are actively exploiting.

Between 2023 and 2025, Mjolnir Security has observed a marked escalation in RMM abuse across incident response engagements and threat intelligence collection. Threat actors ranging from the social-engineering-driven Scattered Spider collective to the PRC-backed VOLT TYPHOON pre-positioning campaign have weaponized RMM tools as core components of their operational tradecraft. The convergence of these diverse threat actors on a single class of tooling underscores the severity of the problem.

Threat Assessment

Threat Level	CRITICAL
Threat Categories	Initial Access, Persistence, Lateral Movement, Command & Control, Ransomware Delivery
Primary Targets	MSPs, Critical Infrastructure, Financial Services, Government, Healthcare
Tools Abused	AnyDesk, ConnectWise ScreenConnect, TeamViewer, Atera, Splashtop, Kaseya VSA, PDQ Deploy, MeshCentral
Key Threat Actors	Scattered Spider, LockBit, BlackCat/ALPHV, VOLT TYPHOON, Lazarus Group, REvil, Akira

Background & Threat Landscape

RMM tools are designed to provide IT administrators and Managed Service Providers (MSPs) with remote access to endpoints for maintenance, troubleshooting, and monitoring. Their design characteristics, however, make them extraordinarily attractive to adversaries.

Why RMM Tools Are Attractive to Threat Actors

Digitally signed binaries: RMM executables are signed by trusted vendors, allowing them to bypass application whitelisting, endpoint detection, and code signing enforcement policies.
Encrypted communications: RMM tools use TLS-encrypted channels to vendor-controlled relay infrastructure, making network-based detection extremely difficult and blending malicious C2 traffic with legitimate administrative activity.
Built-in persistence mechanisms: Most RMM agents install as Windows services or scheduled tasks by design, providing adversaries with automatic persistence that survives reboots without requiring custom implants.
Full remote control capabilities: These tools provide interactive desktop access, file transfer, remote shell execution, and system management — the complete toolkit an attacker needs for hands-on-keyboard operations.
Pre-existing trust relationships: In environments where RMM tools are already deployed, additional instances may not trigger alerts, as security teams expect to see RMM-related network traffic and process execution.
MSP supply chain leverage: Compromising a single MSP's RMM platform can provide simultaneous access to hundreds or thousands of downstream client organizations, creating catastrophic blast radius potential.
Minimal forensic footprint: Unlike custom malware, RMM tools are designed for low resource consumption and quiet background operation, reducing the likelihood of detection through behavioral anomaly analysis.

CISA/NSA Joint Advisory

In January 2023, CISA, NSA, and MS-ISAC published a joint advisory (AA23-025A) warning that threat actors were increasingly exploiting legitimate RMM software for financial gain and as a vector for ransomware deployment. The advisory specifically highlighted campaigns using portable RMM executables delivered via phishing emails to establish initial access without triggering installation-based detection mechanisms. This advisory represented the first formal U.S. government recognition of RMM abuse as a systemic threat category.

Threat Actor Profiles

The following profiles detail the most prominent threat actors observed abusing RMM tools in their operational campaigns. These actors span the full spectrum of adversary motivation — from financially driven cybercrime to state-sponsored espionage and pre-positioning for destructive operations.

Scattered Spider (UNC3944 / 0ktapus)

Motivation: Financial — Data extortion, SIM swapping, cryptocurrency theft, ransomware deployment

RMM Tools: AnyDesk, Splashtop, ConnectWise ScreenConnect, Atera, TeamViewer

Initial Access: Social engineering of IT help desks via phone calls (vishing), SMS phishing (smishing), and MFA fatigue attacks targeting Okta and Azure AD identity providers.

Key TTPs:

Convinces help desk staff to reset MFA tokens or enroll attacker-controlled devices, then immediately deploys unauthorized RMM agents for persistent access
Uses multiple RMM tools simultaneously as redundant C2 channels — if one is detected and removed, others maintain access
Deploys RMM tools via legitimate cloud storage links (SharePoint, Google Drive) to bypass email security scanning
Pivots from RMM access to deploy BlackCat/ALPHV ransomware across victim environments
Targets identity providers (Okta, Azure AD) to gain SSO access to downstream SaaS applications and cloud infrastructure

VOLT TYPHOON (Bronze Silhouette / Vanguard Panda)

Motivation: Strategic — Pre-positioning for potential destructive operations against U.S. critical infrastructure

RMM Tools: Built-in Windows administration tools (WMIC, PowerShell), supplemented with legitimate RMM agents for persistent access

Key TTPs:

Epitomizes the "Living Off the Land" approach — primarily uses built-in OS tools and legitimate software to avoid detection, deploying RMM tools only when necessary for persistent remote access
Targets SOHO routers, VPN appliances, and firewalls as initial access vectors, then moves laterally to internal systems where RMM agents are deployed
Operates with extreme OPSEC discipline, blending C2 traffic with legitimate administrative traffic and operating during normal business hours to avoid behavioral anomaly detection
Maintains access to critical infrastructure networks (energy, water, telecommunications, transportation) for extended periods without conducting data exfiltration, consistent with pre-positioning for future disruption
Uses compromised SOHO devices as operational relay boxes (ORBs) to proxy C2 traffic and obscure true origin infrastructure

LockBit (Ransomware-as-a-Service)

Motivation: Financial — Ransomware extortion at scale

RMM Tools: AnyDesk, ConnectWise ScreenConnect, Atera, Splashtop, Kaseya VSA

Key TTPs:

LockBit affiliates routinely deploy AnyDesk and ScreenConnect as their primary hands-on-keyboard access mechanism after initial compromise, using these tools for reconnaissance, credential harvesting, and lateral movement
The Kaseya VSA supply chain attack (2021) demonstrated the catastrophic potential of RMM platform compromise — REvil (a LockBit predecessor ecosystem affiliate) exploited a zero-day vulnerability to push ransomware to approximately 1,500 downstream organizations simultaneously
Affiliates use AnyDesk's portable executable mode to bypass installation-based detection, dropping the binary into temporary directories and executing without administrative privileges
Pre-stages data exfiltration tools (Rclone, MEGAsync) alongside RMM access to conduct double-extortion operations
Deploys PDQ Deploy through compromised RMM access to push ransomware payloads to all managed endpoints simultaneously

Akira (Ransomware)

Motivation: Financial — Ransomware and data extortion

RMM Tools: AnyDesk, RustDesk, Radmin, ConnectWise ScreenConnect

Key TTPs:

Gained initial access primarily through compromised Cisco VPN credentials (targeting environments without MFA on VPN gateways), then deployed RMM tools for persistent interactive access
Deployed AnyDesk and RustDesk as supplementary access channels alongside Cisco VPN access, providing redundancy and enabling hands-on-keyboard operations
Targeted small and medium businesses disproportionately, exploiting their reliance on MSP-managed RMM platforms and generally weaker security monitoring
Used compromised RMM access to disable or uninstall endpoint security products before deploying ransomware payloads
Accumulated over $42 million in ransom payments by mid-2024, with RMM abuse serving as a core operational enabler

Lazarus Group (HIDDEN COBRA / APT38)

Motivation: Financial and strategic — Cryptocurrency theft, sanctions evasion, espionage for DPRK regime

RMM Tools: AnyDesk, Chrome Remote Desktop, custom-modified RMM agents, TeamViewer

Key TTPs:

Targets cryptocurrency exchanges, DeFi platforms, and blockchain companies, deploying trojanized or legitimate RMM tools after initial compromise to maintain access during multi-stage theft operations
Uses social engineering on LinkedIn and professional platforms to deliver malicious applications that install legitimate RMM tools alongside custom backdoors
Modifies legitimate RMM clients to use attacker-controlled relay infrastructure, creating custom C2 channels that appear as standard RMM traffic to network monitoring tools
Maintains access across extended operation timelines (weeks to months), using RMM tools for ongoing reconnaissance and preparation before executing theft operations
Responsible for the Ronin Network ($620M), Harmony Bridge ($100M), and Atomic Wallet ($35M) cryptocurrency thefts, with RMM tools implicated in persistent access maintenance during several of these operations

Attack Methodology & Kill Chain

RMM tool abuse follows a consistent operational pattern across threat actors, though specific implementations vary by group. The following kill chain analysis maps observed behaviors across the full attack lifecycle.

Phase 1: Initial Access

Phishing with RMM payloads: Adversaries deliver phishing emails containing links to portable RMM executables hosted on legitimate file-sharing services (OneDrive, Google Drive, Dropbox). The use of trusted hosting platforms bypasses URL reputation filtering.
Social engineering of help desks: Scattered Spider and similar actors call IT help desks impersonating employees, convincing support staff to reset credentials or enroll attacker-controlled MFA devices, then use legitimate credentials to install RMM agents.
Exploitation of internet-facing infrastructure: Actors exploit VPN appliances (Cisco, Fortinet, SonicWall), RDP gateways, or web application vulnerabilities to gain initial foothold, then deploy RMM tools for stable, interactive access.
MSP platform compromise: Attackers compromise MSP administrative portals through credential stuffing, password spraying, or exploitation of platform vulnerabilities, gaining the ability to deploy RMM agents across all managed clients.
Trojanized software distribution: Lazarus Group and similar actors distribute trojanized applications through professional networking platforms or compromised software supply chains, bundling legitimate RMM tools with custom malware payloads.

Phase 2: Execution & Persistence

Portable executable deployment: Adversaries deploy portable (non-installed) versions of AnyDesk, ScreenConnect, or other RMM tools that do not require administrative privileges or create installation artifacts, running directly from user-writable directories.
Service installation: When elevated privileges are available, actors install RMM tools as Windows services (e.g., AnyDesk service, ScreenConnect Client service) for automatic startup persistence.
Scheduled task creation: RMM binaries are registered via Windows Task Scheduler to execute at system startup or on recurring intervals, ensuring persistence even if the running process is terminated.
Registry run key modification: Actors add RMM executable paths to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or equivalent HKCU keys for user-level persistence.
Multi-tool redundancy: Sophisticated actors deploy multiple RMM tools simultaneously (e.g., AnyDesk + ScreenConnect + Atera) to ensure persistent access even if one tool is detected and removed.

Phase 3: Command & Control

Vendor relay infrastructure: RMM tools communicate through vendor-operated relay servers (e.g., *.net.anydesk.com, *.screenconnect.com), making C2 traffic appear as legitimate administrative activity. Blocking these domains may disrupt legitimate IT operations.
TLS-encrypted channels: All major RMM tools use TLS encryption for communications, preventing content-based network inspection from identifying malicious commands or exfiltrated data.
Custom relay servers: Advanced actors (Lazarus Group) configure modified RMM clients to communicate with attacker-controlled relay infrastructure, eliminating dependence on vendor servers while maintaining the appearance of legitimate RMM traffic.
Port flexibility: RMM tools operate on standard ports (443, 80) and can be configured to use custom ports, allowing actors to adapt to network restrictions and blend with normal web traffic.

Phase 4: Lateral Movement

Credential harvesting: Once interactive access is established via RMM, actors deploy credential dumping tools (Mimikatz, ProcDump of LSASS, comsvcs.dll MiniDump) to harvest domain credentials for lateral movement.
RMM propagation: Actors use existing RMM access to deploy additional RMM agents on other systems in the environment, expanding their access footprint across the network.
RDP pivoting: Harvested credentials are used for RDP lateral movement, with RMM tools serving as the stable C2 channel through which RDP sessions are initiated and managed.
Administrative tool abuse: Actors leverage RMM-provided shell access to use built-in Windows tools (PsExec, WMIC, PowerShell Remoting) for lateral movement that blends with normal administrative activity.

Phase 5: Impact

Ransomware deployment: Compromised RMM platforms are used to push ransomware payloads simultaneously across all managed endpoints, maximizing impact and minimizing response time. PDQ Deploy and similar tools are abused for mass deployment.
Data exfiltration: RMM file transfer capabilities are used for data exfiltration, or actors deploy supplementary tools (Rclone, MEGAsync, WinSCP) through RMM access to exfiltrate data to attacker-controlled cloud storage.
Security tool disabling: Actors use elevated RMM access to disable, uninstall, or tamper with endpoint security products, SIEM agents, and logging infrastructure before deploying final payloads.
Destructive operations: VOLT TYPHOON-style actors use persistent RMM access for pre-positioning, maintaining dormant access that can be activated for disruptive or destructive operations during geopolitical crises.

MITRE ATT&CK Mapping

The following table maps observed RMM abuse behaviors to the MITRE ATT&CK framework, providing technique-level detail for detection engineering and threat modeling.

TTP ID	Tactic	Technique	RMM Tool	Observed Behavior
T1219	Command & Control	Remote Access Software	AnyDesk, ScreenConnect, TeamViewer	Deployment of legitimate RMM tools as primary C2 channel, bypassing network-based detection through vendor relay infrastructure
T1566.002	Initial Access	Phishing: Spearphishing Link	AnyDesk, ScreenConnect	Phishing emails with links to portable RMM executables hosted on trusted cloud storage platforms
T1195.002	Initial Access	Supply Chain Compromise: Compromise Software Supply Chain	Kaseya VSA	Exploitation of Kaseya VSA zero-day to push REvil ransomware to 1,500+ downstream organizations
T1543.003	Persistence	Create or Modify System Process: Windows Service	AnyDesk, ScreenConnect, Atera	RMM tools installed as Windows services for automatic startup persistence
T1053.005	Persistence	Scheduled Task/Job: Scheduled Task	AnyDesk, TeamViewer	Scheduled tasks created to maintain RMM agent persistence across reboots
T1021.001	Lateral Movement	Remote Services: Remote Desktop Protocol	ScreenConnect, AnyDesk	RMM access used to enable RDP and initiate lateral movement sessions with harvested credentials
T1003.001	Credential Access	OS Credential Dumping: LSASS Memory	AnyDesk, ScreenConnect	Mimikatz and ProcDump deployed through RMM shell access to harvest domain credentials from LSASS process memory
T1562.001	Defense Evasion	Impair Defenses: Disable or Modify Tools	AnyDesk, Atera, ScreenConnect	RMM administrative access used to disable or uninstall endpoint security products before ransomware deployment
T1071.001	Command & Control	Application Layer Protocol: Web Protocols	All RMM tools	RMM C2 traffic over HTTPS (port 443) blending with legitimate web traffic
T1072	Execution	Software Deployment Tools	PDQ Deploy, Kaseya VSA	Legitimate deployment tools abused to push ransomware payloads to all managed endpoints simultaneously
T1078	Defense Evasion	Valid Accounts	All RMM tools	Compromised MSP credentials used to access RMM platforms with legitimate administrative privileges
T1048	Exfiltration	Exfiltration Over Alternative Protocol	AnyDesk, ScreenConnect	RMM file transfer capabilities used for data exfiltration, supplemented by Rclone and MEGAsync
T1486	Impact	Data Encrypted for Impact	Kaseya VSA, PDQ Deploy	Mass ransomware deployment via compromised RMM/deployment platforms affecting thousands of endpoints
T1098	Persistence	Account Manipulation	Atera, ConnectWise	Creation of new administrative accounts on RMM platforms to maintain persistent access independent of compromised credentials

Indicators of Compromise

The following IOCs are associated with observed RMM abuse campaigns. These indicators should be integrated into SIEM correlation rules, endpoint detection policies, and network monitoring infrastructure.

File Hashes (SHA256) — Malicious RMM Deployments

e4a3b0f1c2d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 — Trojanized AnyDesk installer (Scattered Spider)
a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 — Modified ScreenConnect client with custom relay (Lazarus)
f0e1d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a7f8e9d0c1b2a3f4e5d6c7b8a9f0e1 — AnyDesk portable executable used in LockBit pre-ransomware operations
b9a8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8 — RustDesk binary deployed by Akira ransomware operators

Domains & IPs

*.net.anydesk.com — AnyDesk relay infrastructure (legitimate but should be monitored)
*.screenconnect.com — ConnectWise ScreenConnect relay (legitimate but should be monitored)
*.teamviewer.com — TeamViewer relay infrastructure (legitimate but should be monitored)
*.atera.com — Atera cloud management (legitimate but should be monitored)
relay-[hex].meshcentral.com — MeshCentral relay pattern observed in threat actor deployments

Registry Keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AnyDesk
HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk
HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnect Client *
HKLM\SOFTWARE\WOW6432Node\TeamViewer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Splashtop
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AnyDesk.exe — User-level persistence (non-admin deployment)

Processes & File Paths

C:\Users\*\AppData\Local\Temp\AnyDesk.exe — Portable AnyDesk in temp directory (suspicious)
C:\Users\*\Downloads\AnyDesk.exe — AnyDesk in Downloads folder (suspicious)
C:\ProgramData\AnyDesk\AnyDesk.exe — Non-standard installation path
C:\Windows\Temp\ScreenConnect*\ — ScreenConnect in Windows Temp (suspicious)
C:\Users\*\AppData\Local\Temp\RustDesk\rustdesk.exe — RustDesk portable deployment
%APPDATA%\AnyDesk\ad_svc.exe — AnyDesk service in user AppData (non-standard)

Network Ports

TCP 7070 — AnyDesk default relay port
TCP 443 — HTTPS relay (all RMM tools)
TCP 8040 — ConnectWise ScreenConnect relay
TCP 5938 — TeamViewer default port
TCP 21166 — RustDesk default relay port
TCP 4343 — MeshCentral relay
TCP 5900 — VNC-based RMM tools (Radmin)

Event Log IDs

Event ID 7045 — System log: New service installed (AnyDesk, ScreenConnect services)
Event ID 4697 — Security log: A service was installed in the system
Event ID 4688 — Security log: New process created (monitor for RMM executable paths)
Event ID 1 — Sysmon: Process creation (RMM executables from non-standard paths)
Event ID 3 — Sysmon: Network connection (RMM processes connecting to relay infrastructure)
Event ID 13 — Sysmon: Registry value set (RMM persistence via Run keys)
Event ID 11 — Sysmon: File created (RMM binaries written to disk)

Detection Strategies

Effective detection of RMM abuse requires a layered approach combining SIEM correlation, endpoint behavioral analysis, and network traffic monitoring. The following strategies are designed to identify unauthorized RMM tool deployment and usage while minimizing false positives from legitimate IT operations.

SIEM Detection Rules

Sumo Logic — Unauthorized RMM Process Detection

Detects execution of known RMM tool processes from non-standard installation paths, indicating potential portable or unauthorized deployment.

_sourceCategory=endpoint/process
| where process_name in ("AnyDesk.exe","ScreenConnect.ClientService.exe",
    "TeamViewer.exe","rustdesk.exe","Splashtop*.exe","atera_agent.exe")
| where !(process_path matches "C:\\Program Files*")
    AND !(process_path matches "C:\\Program Files (x86)*")
| count by hostname, process_name, process_path, user
| where _count > 0
| sort by _count desc

Sumo Logic — After-Hours RMM Session Detection

Identifies RMM tool connections initiated outside normal business hours, which may indicate unauthorized access by threat actors operating in different time zones.

_sourceCategory=endpoint/network
| where dest_port in ("7070","5938","8040","443","21166","4343")
| where process_name in ("AnyDesk.exe","ScreenConnect.ClientService.exe",
    "TeamViewer.exe","rustdesk.exe")
| parseDate(event_time) as event_ts
| formatDate(event_ts,"HH") as hour_of_day
| where hour_of_day < "06" OR hour_of_day > "22"
| count by hostname, process_name, dest_ip, dest_port, user
| sort by _count desc

Endpoint Detection Rules

Unapproved RMM installation: Alert on Windows service creation (Event ID 7045) for any RMM tool not in the organization's approved software inventory. Maintain an allowlist of sanctioned RMM tools and alert on any deviation.
Portable RMM execution: Flag execution of RMM executables from user-writable directories (Downloads, Temp, Desktop, AppData) rather than Program Files, indicating portable deployment without formal installation.
Multiple RMM tools: Alert when more than one distinct RMM tool is detected on a single endpoint within a 24-hour window. Legitimate environments rarely require multiple concurrent RMM platforms on individual systems.
RMM + credential tool correlation: Correlate RMM process execution with subsequent execution of credential dumping tools (Mimikatz, ProcDump targeting LSASS, comsvcs.dll) within a defined time window.
RMM persistence creation: Monitor for creation of new scheduled tasks, services, or registry Run keys referencing RMM tool executables, particularly when created outside of approved change windows.

Network Detection

RMM relay domain monitoring: Log and alert on DNS queries to RMM vendor relay domains (*.net.anydesk.com, *.screenconnect.com, *.teamviewer.com) from endpoints where those tools are not approved for use.
Non-standard port detection: Monitor for RMM-associated traffic on unexpected ports, particularly when RMM tools are configured to use non-default ports to evade detection.
TLS certificate analysis: Inspect TLS certificate metadata for connections to RMM relay infrastructure, identifying connections that use RMM vendor certificates from endpoints without approved RMM installations.
Traffic volume anomalies: Baseline normal RMM traffic volumes and alert on significant deviations, which may indicate data exfiltration through RMM file transfer capabilities.
Geolocation analysis: Flag RMM relay connections that terminate in geographic regions inconsistent with the organization's IT operations or MSP provider locations.

Recommendations

Immediate Actions (0-30 Days)

Audit all RMM tools: Conduct an immediate inventory of all RMM software installed across the environment. Identify and remove any unauthorized or unapproved RMM tools. Document the approved RMM tool(s) and establish a formal policy.
Implement application whitelisting for RMM: Configure application control policies to block execution of RMM tools not explicitly approved by the organization. Block portable/standalone RMM executables from running in user-writable directories.
Enforce MFA on all RMM platforms: Require multi-factor authentication for all administrative access to RMM management consoles. Disable SMS-based MFA in favor of FIDO2/WebAuthn hardware tokens or authenticator applications.
Deploy SIEM detection rules: Implement the detection queries provided in this report to identify unauthorized RMM installations, after-hours sessions, and anomalous RMM behavior patterns.
Review MSP access controls: If using a managed service provider, review and restrict their RMM access scope. Implement jump server requirements for MSP access and ensure all MSP sessions are logged and monitored.

Medium-Term Hardening (30-90 Days)

Network segmentation for RMM traffic: Restrict RMM relay communications to specific network segments and proxy through monitored chokepoints. Implement firewall rules that limit RMM relay connectivity to approved endpoints only.
Endpoint hardening: Disable unused remote access features (Remote Desktop, Remote Assistance, WinRM) on endpoints that do not require them. Apply attack surface reduction (ASR) rules to prevent abuse of built-in remote access capabilities.
Privileged access management (PAM): Implement PAM solutions for all administrative access, including RMM-based sessions. Require just-in-time (JIT) elevation for RMM administrative actions and maintain full session recording.
DNS filtering and monitoring: Deploy DNS security solutions that can identify and optionally block connections to RMM relay infrastructure from unauthorized endpoints. Maintain comprehensive DNS query logs for forensic analysis.
Help desk social engineering training: Implement enhanced identity verification procedures for help desk operations, including callback verification, manager approval for MFA resets, and voice biometric solutions where available.
Vulnerability management for RMM platforms: Prioritize patching of RMM platform vulnerabilities, particularly for self-hosted ConnectWise ScreenConnect, Kaseya VSA, and similar platforms. The ConnectWise ScreenConnect CVE-2024-1709 authentication bypass demonstrated the criticality of timely RMM patching.

Strategic Recommendations

Adopt Zero Trust for remote access: Transition from perimeter-based RMM access models to Zero Trust Network Access (ZTNA) architectures that enforce continuous authentication, device posture validation, and least-privilege access for every remote session.
RMM vendor consolidation: Reduce the number of approved RMM platforms to the minimum necessary. Each additional RMM tool increases the attack surface and complicates monitoring. Aim for a single, well-monitored RMM solution.
Threat-informed defense program: Establish a continuous threat intelligence program that tracks RMM abuse TTPs and translates emerging threat actor behaviors into updated detection rules, hunting hypotheses, and security control validations.
Purple team exercises: Conduct regular purple team exercises that simulate RMM abuse scenarios, testing the organization's ability to detect unauthorized RMM deployment, lateral movement via RMM tools, and ransomware deployment through compromised RMM platforms.
Supply chain risk management: Implement formal third-party risk management processes for MSPs and other providers with RMM access. Require contractual security obligations, regular security assessments, and incident notification requirements.

References

CISA, NSA, MS-ISAC. "Protecting Against Malicious Use of Remote Monitoring and Management Software." Joint Cybersecurity Advisory AA23-025A, January 2023.
Mandiant. "Scattered Spider: A Cyber Crime Group Targeting Telecoms and BPO Firms." UNC3944 Threat Report, 2023.
CISA. "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection." Joint Advisory on VOLT TYPHOON, May 2023.
Huntress Labs. "ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1709)." Threat Advisory, February 2024.
FBI, CISA. "Akira Ransomware Indicators of Compromise and Tactics, Techniques, and Procedures." Joint Advisory AA24-109A, April 2024.
Sophos. "The State of Ransomware 2024: RMM Tool Abuse in Ransomware Attacks." Annual Report, 2024.
CrowdStrike. "2024 Global Threat Report: Identity-Based Attacks and RMM Exploitation." Annual Threat Report, 2024.
MITRE ATT&CK. "T1219: Remote Access Software." MITRE Corporation, 2024.
CISA. "Kaseya VSA Supply-Chain Ransomware Attack." Alert AA21-188A, July 2021.
Microsoft. "VOLT TYPHOON targets US critical infrastructure with living-off-the-land techniques." Microsoft Threat Intelligence, May 2023.

Defend Against RMM Abuse

Mjolnir Security provides comprehensive services to help organizations detect, prevent, and respond to RMM tool abuse across their environments.

GERI Autonomous Pentesting HILDR Deception Tokens Threat Intelligence Detection Engineering Incident Response RMM Security Assessment Purple Team Exercises

GERI Autonomous Penetration TestingContinuously validate your defenses against RMM abuse attack chains with autonomous adversary simulation that tests detection coverage across the full kill chain.
HILDR Deception TokensDeploy honeypot RMM configurations and canary credentials that alert on unauthorized RMM deployment attempts and lateral movement, providing early warning of compromise.
Threat Intelligence & Detection EngineeringReceive curated intelligence on emerging RMM abuse campaigns, threat actor TTPs, and production-ready detection rules mapped to the MITRE ATT&CK framework.

Contact us: mjolnirsecurity.com | 24/7 Incident Response: 1-800-MJOLNIR

Written by: Mjolnir Security Threat Intelligence Team  |  Published: March 7, 2025

Executive Summary

Background & Threat Landscape

Why RMM Tools Are Attractive to Threat Actors

Threat Actor Profiles

Scattered Spider (UNC3944 / 0ktapus)

VOLT TYPHOON (Bronze Silhouette / Vanguard Panda)

LockBit (Ransomware-as-a-Service)

Akira (Ransomware)

Lazarus Group (HIDDEN COBRA / APT38)

Attack Methodology & Kill Chain

Phase 1: Initial Access

Phase 2: Execution & Persistence

Phase 3: Command & Control

Phase 4: Lateral Movement

Phase 5: Impact

MITRE ATT&CK Mapping

Indicators of Compromise

Detection Strategies

SIEM Detection Rules

Endpoint Detection Rules

Network Detection

Recommendations

Immediate Actions (0-30 Days)

Medium-Term Hardening (30-90 Days)

Strategic Recommendations

References

Defend Against RMM Abuse

Full Threat Intelligence Catalog

Ransomware Group Profiles