How Threat Actors Abuse RMM Tools for Initial Access: The Backdoor Built Into Your IT Stack

Your IT Team's Most Trusted Tool Is Someone Else's Skeleton Key

A mid-sized US construction company received what appeared to be a standard invoice PDF from a known vendor. An employee opened it, clicked an embedded link, and a legitimate-looking software installer ran in the background. Within minutes, a Remote Monitoring and Management agent was silently installed on the endpoint. No malware alert fired. No antivirus flagged anything. The software was signed, trusted, and used by IT teams worldwide.

Thirty-one days later, the organization's files were encrypted with Medusa ransomware.

This is the defining threat pattern of 2024 and 2025: threat actors abusing Remote Monitoring and Management (RMM) tools to gain initial access to corporate networks. According to Huntress, RMM abuse was the most common threat they observed last year, accounting for nearly a quarter (24%) of all incidents and surged 277% year-over-year. Arctic Wolf found that 36% of all incident response cases over a single quarter involved RMM tools, with 59.4% of ransomware cases beginning with external remote access that included RMM abuse. CrowdStrike reported a 70% increase in RMM tool misuse across tracked intrusions.

This isn't a niche technique. It's the new standard playbook.

What Is RMM Abuse?

Remote Monitoring and Management (RMM) tools are software platforms used by IT teams and Managed Service Providers (MSPs) to remotely administer, monitor, and support endpoints across an organization.

Popular RMM platforms include AnyDesk, ConnectWise ScreenConnect, Atera, TeamViewer, SimpleHelp, Fleetdeck, Bluetrait, and NetSupport. Organizations use them for patch management, remote troubleshooting, software deployment, and IT support.

Here's the fundamental security problem: RMM agents running on a machine look identical whether they're used by a legitimate administrator or an attacker. The software is digitally signed. It communicates with vendor-hosted cloud infrastructure. It runs commands. It transfers files. It maintains persistent sessions. All of that activity is, by design, normal. From the perspective of a security tool such as EDR, antivirus, even behavior-based detection, an attacker controlling a machine via AnyDesk is indistinguishable from the IT helpdesk doing the same.

When abused, RMM tools are functionally equivalent to Remote Access Trojans (RATs), but they're signed by legitimate vendors, often whitelisted in enterprise security policies, and trusted by every layer of your defense stack.

How RMM tools abuse for Initial Access Works

Threat actors have developed several distinct playbooks for getting an RMM agent onto a victim's machine. Each exploits a different trust relationship.

1. Phishing / Social Engineering (Most Common)

   1. The attacker delivers a malicious payload via email, often disguised as an invoice, meeting invite, tax document, salary report, or payment receipt. The payload leads to an RMM installer, not traditional malware.

2. Telephone-Oriented Attack Delivery (TOAD)

   1. Known threat groups including those tracked by Proofpoint send emails with a phone number and an invoice lure. The recipient calls to dispute the charge. The actor on the phone posing as support and instructs the victim to install AnyDesk, TeamViewer, Zoho, UltraViewer, or ScreenConnect to "resolve the issue." This delivers RMM access without a single malicious file ever touching the victim's machine.

3. Daisy-Chaining Multiple RMM Tools

   1. Huntress documented a sophisticated tactic during December 2025 and January 2026: once initial access is established via one RMM tool, attackers install a second or third distinct RMM platform to fragment telemetry, distribute persistence points, and complicate attribution and containment.

Vulnerability Exploitation in RMM Platforms

Real-World Attack Campaigns

1. Medusa Ransomware via RMM (2024–2025)

2. Atera Agent Deployment (March 2024)

3. ScreenConnect as Primary Initial Access Payload (2024–2025)

4. NetSupport Targeting Ukraine (January 2025)

Prevention & Best Practices

1. Maintain a strict RMM allowlist and block everything else.

2. Restrict RMM installation to IT management accounts.

3. Patch RMM platforms within 24 hours of critical CVE disclosure.

4. Eliminate internet-exposed RMM servers.

5. Enable MFA on all RMM vendor accounts.

The abuse of RMM tools for initial access represents a fundamental shift in how sophisticated threat actors think about intrusion. The question is no longer "how do I get malware past your defenses?" but "how do I use your own trusted tools against you?" When the answer is "by opening an invoice PDF," the sophistication bar for a catastrophic breach has reached an all-time low.

The security community spent years building detection for malware characteristics, signatures, behavioral patterns, suspicious processes. RMM abuse sidesteps all of it by using software your security team explicitly trusts. The only meaningful countermeasure is contextual: knowing exactly which RMM tools belong in your environment, on which hosts, installed by which processes, communicating with which tenants and treating any deviation as a high-severity incident until proven otherwise.

The organizations getting this right have already built that baseline, enforced allowlists at the application control layer, and patched their RMM platforms on the same emergency timeline they apply to zero-day exploits. The rest are running the world's most capable remote access infrastructure on behalf of attackers who registered an account for free.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don't forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let's keep the conversation going and make cybersecurity a community effort!

-AJ