Legitimate Tools, Malicious Intent: How Attackers Weaponize RMM Software

Trust in familiar IT tools is increasingly being weaponized by malicious actors: remote monitoring and management (RMM) solutions—originally designed for administration and support—are now leveraged for attacks, covert control, and data exfiltration. Security professionals are observing increasingly sophisticated methods of deploying such tools, making detection and remediation significantly more challenging.

In a recent campaign investigated by experts at Sublime Security, two widely used RMM agents—Atera and Splashtop Streamer—were embedded within a single malicious distribution. This redundancy enhances the resilience of the attackers’ infrastructure: even if one component is discovered and removed, the other remains operational, maintaining unauthorized access.

The initial stage of the attack hinges on the compromise of a Microsoft 365 account. Exploiting users’ trust in familiar platforms, attackers distribute phishing emails disguised as OneDrive notifications. These messages feature official icons and standard privacy footers, and contain a link that ostensibly points to a typical DOCX document. In reality, the downloaded file includes a deceptive extension—”.msi” appended to a legitimate filename—enabling the silent installation of malware without arousing suspicion.

On the surface, the installation of the Atera Agent appears to be legitimate and prompts for confirmation. Meanwhile, in the background, the system quietly installs Splashtop Streamer and the .NET Runtime 8 environment—all fetched from official sources, lending an illusion of normalcy to the network activity. This approach fuses the illusion of security with the covert deployment of long-term surveillance tools.

Once active, both RMM tools grant attackers full remote control capabilities, including keystroke logging, file transfer, and arbitrary command execution—all without any visible signs of compromise.

Although this particular attack was intercepted before reaching its final stage, the perpetrators’ ultimate objective remains unclear: whether it was data encryption, corporate espionage, or lateral movement across the infrastructure.

Indicators of such attacks include anomalous behavior in email services and applications—extension spoofing, messages from previously unknown senders, and mass mailings via hidden distribution lists. These phishing emails rely on a blend of social engineering and technical manipulation: familiar branding, polished formatting, and links to “cdn.discordapp\[.]com”—a delivery channel often exploited due to its reliability and limited filtering.

Combating such threats cannot rely solely on signature-based defenses. Experts recommend behavior-based detection and monitoring for irregular activities, such as extension spoofing, along with rigorous metadata analysis and network traffic inspection.

The most effective preventive measures include enforced two-factor authentication, URL filtering, continuous auditing of installed software, and cybersecurity training for staff—particularly in distinguishing legitimate notifications from social engineering attempts.

These attacks—built on trust, user inertia, and the stealthy deployment of legitimate tools—are among the most elusive and difficult to investigate. Recognizing this reality is essential to reshaping corporate processes and reducing the risk of compromise.