Hooking the Victim: How RMM Tools Sneak In

Threat hunters have identified multiple campaigns using RMM tools, including ITarian (aka Comodo), PDQ, Simple Help, andAtera to gain remote access.

Remote monitoring and management (RMM) tools remain attractive to adversaries because they appear legitimate; they’re commonly used by IT professionals for remote access, system monitoring, and machine management.

Adversaries often use RMM tools stealthily and effectively to retain control of compromised systems without raising immediate alarms. Hands-on-keyboard activity lets the attacker adapt behavior to blend with normal administrator actions, making detection harder.

RMM tools have been used to download additional malware such as information stealers, and as precursors to ransomware deployment.

Four common lure themes that successfully caused targets to download an RMM tool that have been identified are:

• fake browser updates
• meeting invitations
• party invitations
• fake government forms

A trend of adversaries deploying two RMM tools in quick succession has also been observed, likely to establish multiple methods of persistent access.

Observed Browser Lures

Fake browser update

This widely used lure presents a webpage claiming the user’s browser must be updated to continue. Users reached these lures from various search themes for example, compromised sports sites redirected visitors to the fake update, and a medical-care themed search led auser to the same type of lure.

A core component of this attack chain is JavaScript injected into compromised websites. The injected script uses aniframe overlay and multiple evasion techniques to deceive users and track interaction:

Full-screen overlay styling that stays above all page elements.

Device and environment detection targeting Windows desktop users while excluding mobile devices.

Dynamic creation of an invisible iframe loading content from suspicious domains, with multiple fallback URLs for redundancy.

Data exfiltration of browser finger printing information, language/geolocation hints, engagement metrics and a unique tracking hash, all sent to a command & control (C2) endpoint.

Some C2 domains exhibited Word Press based admin panels and site-management modules, suggesting they were used to manage compromised websites and orchestrate large-scale campaigns.

In some cases the panels included non-English text in source code and modules for site management and analytics; their exact role is still under investigation.

Case study: fake update → RMM installer

In one case, a user clicking an “Update Chrome” button downloaded an ITarian RMM Microsoft Installer (MSI) instead of a legitimate browser update. The generated MSI contacted other domains and executed additional actions despite being signed by the vendor.

The installed RMM (RmmService.exe)executed a malicious child process (DicomPortable.exe), loaded multiple binaries into memory, modified the registry for persistence, and connected outbound to a compromised domain to download additional payloads (including aloader and an information stealer). The attack chain also involved sideloadinga malicious Qt5Core.dll using a legitimate signed binary, and reconnaissance using Sysinternals TCPView.

In another instance the chain side loaded a malicioussciter32.dll via a different legitimate executable to harvest browser credentials and contact additional malicious domains.

Detection for malicious use of this RMM

• Detect RMM service launching child processes:
      parent_process: RmmService.exe process_path: program data
• Detect execution of RmmService.exe if not normally used in your environment:
      process_name: RmmService.exe

Meeting-invite lures

Adversaries also impersonated common meeting or collaboration applications (Teams, Zoom) or installers (Excel, Adobe products) to drop RMM tools such as Atera, PDQ, and ScreenConnect. Malicious installers were often named to mimic legitimate installers (e.g., MicrosoftTeams.msi) to avoid suspicion.

The pages handled desktop and mobile traffic and redirected users based on User-Agent strings, preferring Windows and Android targets.

The pages could capture visitors and download logs locally and forward statistics via messaging platform bot APIs, a technique observed being abused for C2 communication and data exfiltration.

Party invitation lure

Attackers sent phishing e-invites (party invites) hosting MSI payloads disguised as “Party Card Viewer” or “E-Invite” to deliver PDQ Connect, Atera, and other RMM tools. In one incident a malicious MSI downloaded from a cloud object storage domain installed Atera using a command-line that included an IntegratorLogin email — an indicator that the threat actor was registering the tool under a specific account. In some cases, the email used did not match the target organization.

Multi-RMM chains

There are cases where one remote support tool is installed and then used to load a second remote access tool immediately afterward (for example, SimpleHelp installing ScreenConnect). Attackers sometimes used revoked or suspicious certificates when signing these components.

Detection for Atera / PDQ / SimpleHelp

• Detect Atera agent executed by MSI with integrator parameter:
      process_name: “AteraAgent.exe” AND process_cmdline contains:   IntegratorLogin” AND “@”
• Detect Atera execution if not normally used:
      process_name: Atera.exe
• Detect PDQ Connect execution if unexpected:
      process_name: pdq-connect-agent.exe
• Detect SimpleHelp suspicious executions (renamed binary or user-run from users folder):
      file_description: “simplehelp remote access client” process_name NOT: remote accesswinlauncher.exe” Process_path CONTAINS: “users”

Government-form lures

Phishing pages impersonating governmentforms (e.g., social security statements, W9s, or tax forms) have been used todeliver PDQ Connect, SimpleHelp, and ScreenConnect.

Instances include initial installers usedsimply to load a secondary RMM. Some lures were hosted on domains that mimic official government pages.

Realistic looking, phishing emails and websites make it easy for attackers to distribute RMM installers. Security controls and detection capabilities are essential.

Network controls like browser isolation and monitoring for suspicious newly registered domains can help detect and contain compromises early.

Maintaining a strict allow list for RMM tools used for legitimate business purposes is critical to quickly identify malicious use. Understanding the baseline behavior of legitimate RMM deployments in your environment helps detect anomalies, for example, changed filenames, installs to non-standard directories, installers downloaded from unrelated domains, or unexpected outbound connections.

Indicators

IP addresses

• 185.80.234[.]36 – Malicious SimpleHelp C2

Domains (used as lures or C2)

• attendrsvpvite[.]com – party invite lure
• go-envitelabel[.]com – party invite lure
• arc.dramaticdream[.]com – ScreenConnect C2
• tqewam.anondns[.]net – ScreenConnect C2
• raco.kangaroosim[.]com – ScreenConnect C2
• dwssa[.]top – ScreenConnect C2
• pserial[.]us – ScreenConnect C2
• relay.kaykaysamba[.]xyz – SimpleHelp C2
• bronogrowndsidesales[.]shop – SimpleHelp C2
• growingfoodsforanimal[.]top – SimpleHelp C2
• greendealsfoods[.]shop – SimpleHelp C2
• mserial[.]us – SimpleHelp C2
• www[.]pianepal[.]com – compromised domain associated with     malicious ITarian-related activity
• opalcatacomb[.]pro – DeerStealer C2
• streamsunfolded[.]pro – DeerStealer C2
• goexpresscare[.]com – fake browser update lure
• chromus[.]icu – fake browser update lure
• mypanelsuper[.]online – fake browser update lure
• statementsonlineviewer[.]com – fake government forms
• taxescolletoronline.mywire[.]org – fake government forms
• secure333[.]servconfig[.]com – fake government forms
• panelswp[.]com – exposed WP-Panel C2 domain
• dragonshop[.]cloud – exposed WP-Panel C2 domain
• abounour[.]com – exposed WP-Panel C2 domain

URLs

• hXXp://185.80.234[.]36:443/machine-{epoch timestamp} – SimpleHelp
• hXXp://185.80.234[.]36:443/access/JWrapper-Windows64JRE-version.txt – SimpleHelp
• onlinebazar[.]us/isa/irsb/ – fake government form lure
• doc-irs[.]us/secure/ – IRS-themed lure leading to ScreenConnect

Malicious / suspicious file hashes

• PDQ
  
   
  • de833b2991446bcebcdfb82b0520e6f9 – Setup.msi
• Atera
   
  • 414f71c189eca4d94b79fd656e754d8a – Meetingevite.msi
   
  • bb727e1eeaf896f26d9dcb11c72ec6a9 – eventbite.msi
• SimpleHelp
  
   
  • 215ea19c5cb47a38824cbc615a4b7eb6 – 05CardPreviewAccess2025.exe
   
  • ccd9be696aeef8d1e95a3355914ce63d – E00EventPreview2025.exe, carrier.packet.exe
   
  • a877415c738f8be2fb0fbf18e08526ff – einvite.exe
• ITarian
  
   
  • 6900e58c5d4b4fd1846f75cae53dcaff –  em_78lnaa4a_installer_Win7-Win11_x86_x64.msi
   
  • 6900e58c5d4b4fd1846f75cae53dcaff – em_eu_LWkcD8O8_installer_Win7-Win11_x86_x64.msi

Malware

• 881ad54e17e352291af8823d967f7a79 – Dicomportable.exe (HijackLoader)
• e9e87a2d1e05873efb5afa608570c02a – Dicomportable.exe (HijackLoader)
• 556b8633082fb8704cbbfc4623389a6f – Qt5Core.dll (malicious sideloaded DLL)
• 41aa0c658eb32b02ccf69a53b5b66e0e – sciter32.dll (malicious sideloaded DLL)

Non-malicious tools observed

• hidemouse.exe
• tcpvcon.exe (Sysinternals tool)

MITIGATIONS

• Deploy detection and response sensors across systems.

• Maintain an approved-tools list and monitor or block unauthorized RMMs.
• Recognize that legitimate tools can be exploited — know what’s actually running in your environment.

• Consider additional preventive controls for trusted cloud storage services (enforce browser isolation when those services deliver     executable files: MSI, EXE, PS1).
• Monitor for suspicious newly-registered domains, particularly cheaply provisioned TLDs (e.g., .pro, .shop, .top).