Remote monitoring and management tools, often called RMM tools, are not malware by default. IT teams use them every day to support employees, troubleshoot computers, deploy software, and manage systems remotely. That legitimacy is exactly why attackers like them.
A recent Red Canary Intelligence and Zscaler threat-hunting report describes phishing campaigns that trick users into installing RMM tools such as ITarian, PDQ, SimpleHelp, Atera, and ScreenConnect. Once installed, these tools can give an attacker remote access that looks a lot like normal IT administration activity. That makes detection harder, especially in organizations that already use RMM software legitimately.
Why RMM Tools Are Attractive to Attackers
Traditional malware often stands out. It may use suspicious file names, strange network behavior, or obvious persistence mechanisms. RMM tools are different. They are legitimate, signed, and commonly used by IT teams.
Attackers abuse that trust in a few ways:
- They can gain interactive remote access to a victim's machine
- They can blend in with normal administrator behavior
- They can use the tool to download additional payloads
- They can maintain access without immediately triggering malware-focused defenses
Red Canary notes that RMM tools have been used to download additional malware, including information stealers, and may act as a precursor to ransomware activity.
The Four Phishing Lures Observed
Red Canary and Zscaler identified four common lure themes used to convince victims to download RMM tools: fake browser updates, meeting invitations, party invitations, and fake government forms.
1. Fake Browser Updates
One campaign used compromised websites to display fake browser update messages. A visitor would see a page claiming that Chrome or another browser needed to be updated before they could continue. When the user clicked the update button, they downloaded an ITarian RMM installer instead of a real browser update.
The attack used injected JavaScript to create a full-screen overlay, detect the user's environment, and redirect victims to suspicious infrastructure. Red Canary observed tactics such as browser fingerprinting, language-based geolocation indicators, engagement tracking, and fallback domains in case one malicious domain was blocked. In one case, the installed ITarian service executed a suspicious process named DicomPortable.exe, modified the registry for persistence, and connected outbound to download additional payloads, including HijackLoader and DeerStealer.
2. Meeting Invitation Lures
Another common tactic impersonated trusted workplace applications such as Microsoft Teams, Zoom, Microsoft Excel, Adobe Acrobat Reader, and Adobe Express. The phishing pages either bundled RMM tools with what appeared to be legitimate installers or disguised the RMM installer as meeting software. File names like MicrosoftTeams.msi helped the downloads look believable.
These campaigns also used device-aware logic. Red Canary observed pages that checked the user's browser and operating system through the HTTP User-Agent and redirected users differently depending on whether they appeared to be on Windows, Android, iPhone, or other platforms. Some phishing pages also captured visitor and download logs, storing them on the webserver and sharing them through Telegram Bot API channels. This kind of tracking helps attackers measure which lures are working and which victims downloaded the payload.
3. Party Invitation Lures
Attackers also used fake e-invites and party-card themes to trick users into downloading MSI installers. Examples included names like "Party Card Viewer" or "E-Invite." In one case, a phishing email delivered Atera through a Cloudflare R2 object storage domain, taking advantage of a trusted hosting platform to distribute the payload.
This is a good example of "living off trusted sites," where attackers host or route malicious activity through legitimate platforms because those services are less likely to be blocked outright.
Red Canary also observed cases where attackers installed more than one RMM tool in quick succession. One incident began with SimpleHelp downloaded from a fake invite site, followed quickly by the installation of ScreenConnect. This likely gave the attacker multiple ways to regain access if one tool was removed or blocked.
4. Fake Government Forms
Government-themed lures remain effective because they create urgency and anxiety. In this campaign, attackers impersonated U.S. government documents such as Social Security statements, W-9 forms, and income tax returns. The RMM payloads varied, but Red Canary frequently observed PDQ Connect, SimpleHelp, and ScreenConnect.
One example involved a malicious installer named capilotmcupdate.msi that executed ScreenConnect using infrastructure associated with a fake IRS-themed lure. Red Canary also listed several government-form lure domains, including fake IRS and tax-themed pages.
What Makes These Attacks Hard to Detect?
The central challenge is that the tool itself may not be malicious. An RMM agent running on a workstation is not automatically suspicious if the organization uses that product. The suspicious part is the context.
Security teams should ask questions like:
- Is this RMM tool approved in our environment?
- Was it installed by IT, or by a user clicking a web link?
- Did it execute from a normal directory?
- Is the installer coming from the vendor's official domain?
- Is the account or tenant tied to our organization?
- Is the RMM process spawning unusual child processes?
- Is it being installed alongside another RMM tool?
Red Canary emphasizes that organizations need to understand their normal RMM baseline. Suspicious signs include renamed binaries, downloads from non-standard domains, execution from unusual directories, and unexpected network connections.
Practical Detection Ideas
A strong defense starts with visibility. Endpoint telemetry should show process names, parent-child process relationships, command-line arguments, file paths, signed binaries, and network connections.
Some useful detection patterns include:
- ITarian: Watch for RmmService.exe, especially when it launches child processes from unusual paths such as ProgramData
- Atera: Look for AteraAgent.exe launched by an MSI with command-line arguments containing IntegratorLogin and an email address. In a legitimate deployment, that email should usually match the organization's IT account or vendor-managed service provider
- PDQ Connect: Monitor for pdq-connect-agent.exe in environments where PDQ Connect is not approved or normally used
- SimpleHelp: Watch for SimpleHelp binaries renamed to suspicious names or executing from user directories rather than expected installation paths
How Organizations Can Reduce Risk
The most important control is an approved RMM allowlist. Security teams should know exactly which remote management tools are permitted, who owns them, what tenants or accounts they use, and where they are allowed to run.
Other useful steps include:
- Restrict unauthorized RMM installation where possible
- Monitor downloads of .msi, .exe, and script files from unusual or newly registered domains
- Treat RMM downloads from trusted hosting platforms, such as object storage services, as worthy of inspection rather than automatically safe
- Use browser isolation or additional controls for suspicious file-delivery sites
- Alert when multiple RMM tools are installed on the same endpoint within a short time window
- Train users that browser updates should come from the browser itself or official vendor websites, not random pop-ups
- Investigate meeting invite downloads carefully, especially when the file is an installer rather than a normal calendar link
Red Canary specifically recommends endpoint visibility, monitoring or denying unauthorized RMM tools, stronger network visibility, controls for trusted services delivering suspicious file types, and monitoring newly registered domains, especially cheap or commonly abused top-level domains.
Key Takeaway
These phishing campaigns work because they do not rely only on obviously malicious files. They abuse trust: trust in browser updates, meeting apps, party invitations, government paperwork, cloud hosting platforms, and legitimate remote management tools.
For defenders, the goal is not simply to block every RMM product. The goal is to know which tools belong, how they should behave, and when their use no longer matches normal business activity. When a remote access tool appears from a phishing email, a fake update page, or an unknown tenant, it should be treated as a serious incident, even if the binary itself is signed and legitimate.