Cybercriminals are deceiving users by creating phony websites that imitate well-known programs like Notepad++ and 7-Zip This article explores rmm tools attackers. . These websites promote malware-laden Remote Monitoring and Management (RMM) tools.

Attackers now employ RMM software from the very beginning of infection, not only after compromising systems, according to AhnLab's Security Intelligence Center (ASEC). Early detection is more difficult as a result of this change. RMM tools circumvent basic antivirus scans by enabling attackers to remotely take control of compromised computers. Why Attackers Adore RMM Tools RMM software helps IT teams manage devices remotely for tasks like patching and monitoring.

But hackers abuse it as a backdoor, similar to Remote Access Trojans (RATs). Tools evade detection because they look legitimate. Traditional antivirus struggles with them, as they mimic normal admin actions.

AhnLab EDR (Endpoint Detection and Response) uses behavior analysis to identify these dangers. It is the only behavior-based engine solution in Korea. It gathers information about questionable behavior, notifies administrators, and aids in identifying the underlying causes.

This makes it possible to react quickly and avoids repetitions. False Downloads: 7-Zip Traps and Notepad++ Ads leading to fraudulent download pages were discovered by ASEC. Notepad++, 7-Zip, Telegram, ChatGPT, and OpenAI are all phony websites. Instead of downloading LogMeIn Resolve, a genuine RMM tool for remote support and patching, victims mistakenly believe they are obtaining free utilities.

After installation, LogMeThe machine is registered with the servers of the attackers. After that, hackers use PowerShell commands to release the covert backdoor PatoRAT. False Websites Spread Spyware PDQ Connect, another RMM for software deployment and inventory, is used in similar ways. PatoRAT installs result from both.

EDR flags from AhnLab Executions of PDQ Connect and LogMeIn are threats that display logs for administrators to examine. Phishing Emails Hide Additional RMM Dangers Phishing PDFs with the names "Invoice," "Product Order," or "Payment" are also sent by attackers. "High quality" causes previews to fail, directing users to Google Drive links.

These include Iran's MuddyWater APT group and Syncro, an RMM utilized by the ransomware gangs Chaos and Royal. Same-signed malware propagates SuperOps (MSP remote access), NinjaOne (cloud IT management), and ScreenConnect (abused by ALPHV/BlackCat and Hive ransomware). Since October 2025, everyone has signed a single certificate.

Key Features of the RMM Tool AhnLab EDR Detection of Known Abusers Patching PatoRAT droppers and LogMeIn Resolve Remote support EDR and execution.LogMeIn.M12839 PDQ Connect Inventory, remote control, and deployment Droppers for PatoRAT Chaos, Royal, MuddyWater Execution/EDR.PDQConnect.M12920 Syncro MSP monitoring/management ScreenConnect Screen control, support Hive Execution/EDR, ALPHV/BlackCat.ScreenConnect.M11766 NinjaOne Cloud patching, asset management, execution of multiple phishing campaigns, EDR, Ninja, M13400 SuperOps MSP remote access, and phishing PDF dropper monitoring All of these executions are detected by Execution/EDR.SuperOps.M13399 AhnLab EDR, which provides administrators with early warnings. Remain Secure: Important Defenses Users can only download from official websites. Prior to installation, verify file versions and certificates.

Steer clear of dubious emails, confirm the sender, and ignore any links or attachments. Update your operating system and security tools. For behavior monitoring, organizations should use EDR similar to AhnLab's. Use policies to prevent unknown RMM installs.

Educate employees on phishing warning signs.

RMM abuse is on the rise, as seen by this wave. Systems are protected from complete takeovers by early detection.