TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Rogue RMMs: Common Social Engineering Tactics We Saw in 2025

2025-12-31 · Read original ↗

ATT&CK techniques detected

11 predictions
T1219Remote Access Tools
99%
“rogue rmms : common social engineering tactics we saw in 2025 special thanks to austin worline for his contributions to this blog post. the huntress security operations center ( soc ) frequently comes across incidents involving rogue screenconnect installations. at the end of sep…”
T1566.001Spearphishing Attachment
98%
“##ct infection that was likely delivered through phishing. figure 2 : the detection timeline for a rogue screenconnect infection with an “ invitation ” lure the statement / invoice threat actors continue to rely on a classic social engineering tactic : lures involving invoices or…”
T1219Remote Access Tools
98%
“like rdp, logmein, teamviewer, atera, vnc, and ninjarmm. for businesses, security awareness training can help employees spot red flags or suspicious requests to download executables disguised as invoices or otherwise. if a rogue screenconnect attack is underway, however, huntress…”
T1219Remote Access Tools
88%
“lure that led to a rogue screenconnect installation while we don ’ t have visibility into the initial phishing email, the invitation - aligned lures in this landing page suggest that it was also themed around an invitation. after the user clicked the button, it set off the downlo…”
T1204.002Malicious File
81%
“actors, as several users downloaded the executable. several users even downloaded the executable multiple times : figure 3 : a user downloading a renamed screenconnect executable several times in a separate incident in march, a user at a company was observed executing a file invo…”
T1204.002Malicious File
71%
“##ing “ a very small number of screenconnect customers. ” however, huntress also frequently sees threat actors hijacking and using existing rmm software already installed on victims ’ machines, or deploying and installing an attacker ’ s preferred rmm onto victims ’ computers. th…”
T1566.001Spearphishing Attachment
70%
“saw that were linked to rogue screenconnect instances. figure 8 : total occurrences per account name for rok628 [. ] mxhelp [. ] top figure 9 : total occurrences per account name for yoc736 [. ] ikhelp [. ] top figure 10 : total occurrences per account name for slplegalfinance [.…”
T1566.002Spearphishing Link
70%
“saw that were linked to rogue screenconnect instances. figure 8 : total occurrences per account name for rok628 [. ] mxhelp [. ] top figure 9 : total occurrences per account name for yoc736 [. ] ikhelp [. ] top figure 10 : total occurrences per account name for slplegalfinance [.…”
T1204.002Malicious File
48%
“##ct infection that was likely delivered through phishing. figure 2 : the detection timeline for a rogue screenconnect infection with an “ invitation ” lure the statement / invoice threat actors continue to rely on a classic social engineering tactic : lures involving invoices or…”
T1204.002Malicious File
47%
“which have been redacted below ), and in other cases, they contained a variation of the same name with different numbers at the end. we also collected the top sha256 hashes linked to signals indicating rogue screenconnect instances from january through september 2025. the table b…”
T1598.002Spearphishing Attachment
30%
“saw that were linked to rogue screenconnect instances. figure 8 : total occurrences per account name for rok628 [. ] mxhelp [. ] top figure 9 : total occurrences per account name for yoc736 [. ] ikhelp [. ] top figure 10 : total occurrences per account name for slplegalfinance [.…”

Summary

From lures involving Social Security statements to top domains and hashes used in attacks, here's an in-depth look at incidents involving ScreenConnect in 2025.