216.73.217.22

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

· Published 12/03/2025 16:00 · Modified 12/03/2025 16:31

Export JSON

Essential information

Published
12/03/2025 16:00
Modified
12/03/2025 16:31
Tags
2025-03-12 astaroth asyncrat atera bluetrait cybercrime email campaigns fleetdeck grandoreiro guildma initial access lumma stealer mispadu netsupport remcos remote access rmm screenconnect
Related entities
15 observables, 19 techniques (mitre), 12 malware, 11 others

Description

Threat actors are increasingly using legitimate remote monitoring and management () tools as initial payloads in . This trend aligns with a decrease in the use of traditional loaders and botnets by brokers. RMMs can be exploited for data collection, financial theft, lateral movement, and installing additional malware. Notable tools observed in campaigns include , , and . The shift towards usage coincides with law enforcement disruptions of major malware families and a decline in ransomware payments. Specific threat actors like TA583 and TA2725 have been observed incorporating RMMs into their attack strategies. Organizations are advised to restrict unauthorized installations, implement network detections, and train users to identify suspicious activity.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (15)

  • 45.155.249.215
  • 185.157.213.71
  • 109.71.247.168
  • https://safelink.vn/OsDXr
  • https://safelink.vn/GESLx
  • https://retireafter5m.co/Bin/Recently_S_S_A_eStatementForum_Viewr5406991387785667481_Pdf.Client.exe?e=Access&y=Guest&s=1fa76235-0891-43b3-9773-feba750a3852&i=Buss1
  • https://online.invoicesing.es/Bin/Statement.ClientSetup.exe?e=Access&y=Guest&c=Black_Cat&c=&c=&c=&c=&c=&c=&c=\
  • https://kalika.bluetrait.io/api/
  • https://3650ffice.anticlouds.su/Fraud_Alert_black/
  • http://www.farrarscieng.com/re.php
  • http://45.155.249.215/xxx.zip
  • http://185.157.213.71:443
  • b8fd2b4601b09aacd760fbede937232349bf90c23b35564ae538ed13313c7bd0
  • 97b35a7673ae59585ad39d99e20d9028ac26bbccb50f2302516520f544fe637e
  • 4c4e15513337db5e0833133f587e0ed131d4ebb65bb9a3d6b62a868407aae070

Techniques (MITRE) (19)

Malware (12)

  • Bluetrait
    Family
    Published 12/03/2025 16:00 · Modified 12/03/2025 16:00
  • Mispadu - S1122
    Family
    Published 12/03/2025 16:00 · Modified 12/03/2025 16:00
  • Atera
    Family
    Published 17/04/2026 23:18 · Modified 17/04/2026 23:18
  • Fleetdeck
    Family
    Published 03/11/2025 14:28 · Modified 03/11/2025 14:28
  • Grandoreiro - S0531
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • Guildma
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • Astaroth - S0373
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • ScreenConnect
    Family
    Published 08/05/2026 02:49 · Modified 08/05/2026 02:49
  • Lumma Stealer
    Family
    Published 08/06/2026 19:36 · Modified 08/06/2026 19:36
  • Remcos
    Family
    Published 05/05/2026 18:45 · Modified 05/05/2026 18:45
  • NetSupport
    Family
    Published 03/11/2025 14:28 · Modified 03/11/2025 14:28
  • AsyncRAT
    Family
    Published 11/06/2026 16:31 · Modified 11/06/2026 16:31

Others (11)

  • Spain
  • Canada
  • France
  • Mexico
  • Ukraine
  • Brazil
  • United States of America
  • Energy
  • Finance
  • Telecommunications
  • Government

External references