TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

How Threat Actors Abuse Remote Management Tools | Huntress

2026-03-11 · Read original ↗

ATT&CK techniques detected

15 predictions
T1219Remote Access Tools
99%
“how threat actors abuse remote management tools | huntress the abuse of remote monitoring and management ( rmm ) tools is a trend that has been quietly building for some time. as an industry, we recognise it well and tend to speak about it in hushed tones. but it isn ’ t flashy, …”
T1219Remote Access Tools
98%
“entire playbooks around these tools to drop malware, steal credentials, and execute commands. this blog analyses several cases we investigated during december 2025 and january 2026 to demonstrate a common tactic we see with rmm abuse : daisy - chaining distinct rmm tools to fragm…”
T1219Remote Access Tools
96%
“##mail valid access combo list once they have the lists, they use lite 1. 7 email extractor to parse the data. figure 19 : lite 1. 7 email extractor skimming over a lot of the initial tooling, we get to the threat actor installing screenconnect with the version 25. 2. 4. 9229 and…”
T1219Remote Access Tools
94%
“##s persist. sharing those patterns does far more to disrupt attacker workflows than static ioc lists ever will. rmm abuse isn ’ t really a tooling problem ; it ’ s a trust problem. until the industry collectively adjusts how much implicit trust these tools are granted by default…”
T1566.002Spearphishing Link
86%
“predictable themes such as the united states tax season, or lures impersonating the social security administration, because they ’ re easy to mass - produce and reliably generate clicks. these lures are pushed via broad email campaigns or surfaced through search - engine poisonin…”
T1219Remote Access Tools
83%
“vvip _ * invitation *. msi - eveninggathering _ previewrsvp *. msi - events _ * invitation *. msi as an industry, rmm vendors need to take a more active role in addressing abuse within their platforms and make it easier for security teams and victims to report misuse. the repeate…”
T1566.002Spearphishing Link
81%
“social _ security _ estatement _ *. exe social - security _ document *. exe - ssa _ estatement *. exe - my _ social _ security _ estatement _ *. exe - socialsecurityadministration - statement. msi - ssa statement. scr alongside these, invitation and rsvp - themed campaigns contin…”
T1219Remote Access Tools
65%
“bar. rmm platforms vary widely in what they expose : installer prevalence, deployment history, audit logs, and parent - child process relationships are often incomplete or absent. establishing baseline expectations for logging and transparency would make abuse easier to detect an…”
T1566.002Spearphishing Link
64%
“##tyto. msi. one particular repository, rty, was of interest and demonstrates a more deliberate approach to infrastructure setup. rather than hosting content on a disposable file - sharing platform, the threat actor likely configured a custom domain via github that references the…”
T1566.001Spearphishing Attachment
60%
“social _ security _ estatement _ *. exe social - security _ document *. exe - ssa _ estatement *. exe - my _ social _ security _ estatement _ *. exe - socialsecurityadministration - statement. msi - ssa statement. scr alongside these, invitation and rsvp - themed campaigns contin…”
T1598.003Spearphishing Link
51%
“predictable themes such as the united states tax season, or lures impersonating the social security administration, because they ’ re easy to mass - produce and reliably generate clicks. these lures are pushed via broad email campaigns or surfaced through search - engine poisonin…”
T1586.002Email Accounts
41%
“used as potential lead lists, sold to other threat actors, and even reused by the threat actors themselves to distribute future phishing lures. figure 16 : email extractor alongside the email extractor, the threat actor also downloaded and used proxy switchyomega 3 ( zeroomega ) …”
T1566.002Spearphishing Link
40%
“, and everything else is blocked. if the visitor is identified as running windows, the page transitions to the “ success ” state and continues toward delivery. if not, the user is presented with an “ access denied ” message instructing them to use a windows device instead. figure…”
T1586.002Email Accounts
37%
“##ring intent solely from external telemetry. through this observation, we were able to identify elements of the toolkits they were using, along with a consistent motive : gathering as much information as possible to later monetise. the threat actor purchased a virtual private se…”
T1219Remote Access Tools
31%
“, including quickbooks and coinbase, indicating an objective of rapidly identifying monetisable access. despite this intent, the script reflected limited technical maturity. in one example, code comments indicated that harvested data would be transmitted to a threat - actor - con…”

Summary

The abuse of remote monitoring and management (RMM) tools is surging. See how threat actors daisy chain RMM software for initial access, persistence, and detection evasion.