This threat campaign highlights a growing trend where attackers leverage legitimate Remote Monitoring and Management (RMM) tools to gain and maintain unauthorized access within target environments. The attackers initially compromise victims through phishing emails or malicious downloads, which deliver or enable the installation of primary RMM tools such as PDQ or GoTo Resolve. These primary tools are then used to deploy secondary RMM tools like ScreenConnect or SimpleHelp, which provide additional remote access capabilities and persistence. The use of multiple RMM tools complicates detection because these tools are legitimate administrative utilities often whitelisted or trusted by security controls. The attackers employ social engineering tactics, including holiday-themed phishing lures and fake bid transcripts, to entice victims into executing malicious content. The campaign includes real-world examples affecting a real estate company, an investment firm, and a car dealership, demonstrating the broad applicability of this attack vector across industries. The report emphasizes the importance of a managed Security Operations Center (SOC) to detect anomalous RMM activity and recommends specific defensive measures such as enhanced monitoring, strict access controls, and user awareness training. The campaign is tagged with multiple MITRE ATT&CK techniques including T1053 (Scheduled Task/Job), T1219 (Remote Access Software), T1036 (Masquerading), T1059 (Command and Scripting Interpreter), T1204 (User Execution), T1566 (Phishing), T1574 (Hijack Execution Flow), T1078 (Valid Accounts), and T1105 (Ingress Tool Transfer), illustrating the complex multi-stage nature of these attacks. Although no CVE or known exploits are associated, the medium severity rating reflects the significant risk posed by the abuse of trusted administrative tools for stealthy persistence and lateral movement.

European organizations face significant risks from this threat due to the widespread use of RMM tools in IT management and support. Successful exploitation can lead to unauthorized remote access, data exfiltration, lateral movement within networks, and long-term persistence. Sectors such as real estate, finance, and automotive—already targeted in observed incidents—are critical to European economies and may suffer operational disruption, financial loss, and reputational damage. The stealthy nature of RMM abuse complicates detection, increasing the likelihood of prolonged compromise. Additionally, social engineering lures tailored to local contexts (e.g., holiday themes) increase the success rate of initial compromise. The medium severity indicates that while the threat requires user interaction and does not exploit a direct vulnerability, the potential impact on confidentiality, integrity, and availability is substantial if attackers establish persistent footholds. European organizations with limited SOC capabilities or insufficient RMM monitoring are particularly vulnerable.

1. Enforce strict access controls on RMM tools, limiting usage to authorized personnel only and employing the principle of least privilege. 2. Implement multi-factor authentication (MFA) for all RMM tool access to reduce risk from compromised credentials. 3. Monitor RMM tool deployment and usage logs for anomalies such as unexpected installations of secondary RMM tools or unusual remote sessions. 4. Employ network segmentation to restrict RMM tool communication to necessary systems only, reducing lateral movement opportunities. 5. Conduct regular user training focused on recognizing phishing attempts, especially those using social engineering lures like holiday themes or fake bid documents. 6. Maintain an active and managed Security Operations Center (SOC) with capabilities to detect suspicious RMM activity and respond promptly. 7. Use endpoint detection and response (EDR) solutions to identify and block unauthorized script execution or process spawning related to RMM abuse. 8. Regularly audit and update RMM software to ensure the latest security features and patches are applied. 9. Establish incident response plans specifically addressing RMM abuse scenarios to minimize dwell time and impact. 10. Restrict the ability to install or run secondary RMM tools through application whitelisting and software restriction policies.