Email-Delivered RMM: Abusing PDFs for Silent Initial Access
Essential information
- Published
- 07/08/2025 15:19
- Modified
- 07/08/2025 22:21
- Tags
- 2025-08-07 france initial access luxembourg pdf phishing rmm social engineering
- Related entities
- 51 observables, 7 others
Description
A targeted campaign has been observed since November 2024, primarily affecting organizations in France and Luxembourg. The attackers use socially engineered emails to deliver PDF documents containing embedded links to Remote Monitoring and Management (RMM) tool installers. This method bypasses many email and malware defenses. The PDFs are tailored to the victim's industry and often disguised as invoices, contracts, or property listings. The activity focuses on high-value sectors such as energy, government, banking, and construction. Various RMM tools are used, including FleetDeck, Atera, and Bluetrait. The attackers leverage direct download links and tools that require minimal setup, streamlining the infection process. This approach allows threat actors to gain initial access, disable security features, and potentially deploy subsequent malware using trusted tools.