{
  "name": "A Series of Unfortunate (RMM) Events",
  "slug": "a-series-of-unfortunate-rmm-events",
  "description": "Series of Unfortunate Events\nSummary: This analysis examines the increasing trend of threat actors abusing Remote Monitoring and Management (RMM) tools in their attacks. The report highlights a specific pattern where attackers use PDQ or GoTo Resolve to deploy secondary RMM tools like ScreenConnect or SimpleHelp. Multiple examples are provided, including a real estate company compromised through a phishing email, an investment firm attacked via a malicious download, and a car dealer targeted through multiple RMM installations. The report also discusses various social engineering lures used by attackers, such as holiday-themed messages and fake bid transcripts. It emphasizes the importance of a managed Security Operations Center (SOC) in detecting and mitigating these threats, and provides recommendations for businesses to prevent RMM abuse.",
  "published": "2025-12-19T17:30:02+00:00",
  "created_at": "2025-12-19T17:30:02+00:00",
  "modified_at": "2025-12-21T22:06:55+00:00",
  "created_at_opencti": "2025-12-19T17:30:02+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-19",
    "goto resolve",
    "multiple rmm tools",
    "pdq",
    "persistence",
    "phishing",
    "rmm abuse",
    "screenconnect",
    "simplehelp",
    "social engineering"
  ],
  "related_entities": {
    "attack_patterns": [
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "stsmithchurchitems.shop"
      },
      {
        "id": "",
        "name": "support.innerschapel.com"
      },
      {
        "id": "",
        "name": "abre.ai"
      },
      {
        "id": "",
        "name": "con.wepivifllc.de"
      },
      {
        "id": "",
        "name": "xtroloozyanimailfeeddeals.shop"
      },
      {
        "id": "",
        "name": "ssaaccount-helper.icu"
      },
      {
        "id": "",
        "name": "elegantparty.de"
      },
      {
        "id": "",
        "name": "deuwre.com"
      },
      {
        "id": "",
        "name": "wilkensealsivc.shop"
      }
    ]
  },
  "external_refs": [
    "https://www.huntress.com/blog/series-of-unfortunate-rmm-events",
    "https://otx.alienvault.com/pulse/694599aaebd14cabed495145"
  ]
}