Cybercriminals have found a new favorite toy—legitimate remote monitoring and management (RMM) tools. Since 2022, hackers have increasingly abandoned traditional malware in favor of software that’s supposed to help IT professionals, not criminals. ScreenConnect, AnyDesk, Atera—all being weaponized at an alarming rate. Over one-third of intrusions in the past two years involved these tools. That’s not a coincidence.
Why the shift? It’s brilliant, actually. These RMM tools bypass administrative privileges, dodge antivirus detection, and blend perfectly with normal network traffic. They’re wearing the digital equivalent of an invisibility cloak. Plus, they come with built-in remote access, file transfer, and command execution capabilities. Ready-made hacking platforms with legitimate certificates. No need to build custom malware when the perfect tool is available for a free trial.
The attack methods aren’t particularly sophisticated. Phishing emails. Social engineering. Exploiting vulnerabilities. The usual suspects. But the payoff is huge. Once installed, these tools offer persistence that’s hard to detect and even harder to remove.
Major threat actors have taken notice. SCATTERED SPIDER loves these tools. Iranian APT groups use them for persistence. Qbot affiliates deploy them for ransomware operations. It’s become the cool new trend in the hacker community. This trend has been significantly influenced by Operation Endgame, which dismantled traditional malware infrastructures and forced cybercriminals to adapt their tactics.
For organizations, this trouble. Data theft, financial fraud, ransomware—all executed through software that appears legitimate. Attackers are even manipulating victims to alter bank statements for sophisticated refund scams. Traditional security controls just shrug their shoulders. “Looks fine to me,” says your expensive antivirus software.
The threat environment is changing. Custom malware is so 2020. Today’s sophisticated attackers prefer “living off the land”—using legitimate tools against their owners. It’s like being stabbed with your own kitchen knife. Effective threat intelligence transforms this security data into actionable insights that help organizations identify these attacks before significant damage occurs.
As this trend grows, the line between legitimate IT operations and malicious activity becomes increasingly blurred. Nation-state actors are jumping on the bandwagon too. Who needs complex custom tools when the perfect weapon is already installed on the victim’s computer?
