Security researchers are warning about a wave of phishing campaigns that deploy remote monitoring and management (RMM) software to gain unauthorized access to victim machines. According to a recent report from Red Canary, attackers are increasingly abusing legitimate IT administration tools such as ITarian (Comodo), PDQ, SimpleHelp, and Atera to bypass defenses and establish persistence.

Multiple Phishing Lures Observed

The campaigns use several social engineering tactics to trick users into downloading RMM installers disguised as trusted applications or documents:

• Fake browser updates – Victims are redirected to malicious websites prompting them to click an “Update Chrome” button, which instead downloads the ITarian RMM Microsoft Installer (MSI).
• Meeting invites – Emails containing links to fraudulent Microsoft Teams or Zoom installers, which ultimately deploy Atera, PDQ, or ScreenConnect tools.
• Party invitations – Messages with attachments like “Party Card Viewer” or “E-Invite,” delivering the Atera RMM through a Cloudflare R2 storage domain trusted by the target’s system.
• Government forms – Fraudulent Social Security, W9, or tax return forms that trigger the installation of PDQ Connect, SimpleHelp, or ScreenConnect. In some cases, attackers chain multiple RMM tools in quick succession.

Why RMM Abuse Is Dangerous

Although RMM software is widely used for legitimate IT administration, in the wrong hands it can enable ransomware deployment, data theft, or long-term surveillance. The ability of adversaries to disguise installers behind convincing lures makes these campaigns particularly effective.

Red Canary emphasized the importance of implementing robust detection and control mechanisms to mitigate risk. Suggested strategies include:

• Deploying endpoint detection and response (EDR) solutions.
• Maintaining an “approved tools” list and blocking unauthorized software.
• Enhancing network visibility with controls such as browser isolation, suspicious domain monitoring, and closer inspection of trusted services like Cloudflare R2.

Indicators of Malicious RMM Use

To distinguish between legitimate and malicious activity, security teams need to understand normal tool behavior. Common red flags include:

• Renamed or altered installer files.
• Installation from unusual directories.
• Downloads from domains not affiliated with the RMM vendor.
• Suspicious outbound network connections initiated by the tool.

As attackers continue to exploit trusted RMM platforms, organizations must strengthen defenses at both the endpoint and network layers. A proactive approach can help identify and contain compromises before they escalate into large-scale breaches.

Source: https://www.infosecurity-magazine.com/news/phishing-campaigns-rmm-tools