As of May 05, 2026, attackers have compromised over 80 organizations by weaponizing two widely used remote monitoring and management (RMM) tools to conduct a stealthy phishing campaign that bypasses traditional detection systems.
Key Takeaways
- Attackers are abusing legitimate RMM software to maintain persistent access and avoid detection.
- More than 80 organizations across multiple sectors have already been impacted.
- The campaign relies on phishing emails that install RMM clients as backdoors, not malware.
- Because RMM tools are typically whitelisted, security teams often miss the activity.
- This marks a shift from malware-based attacks to exploitation of trusted operational software.
Legitimacy as a Weapon
What’s striking isn’t just the scale of the campaign—but how it works. Attackers aren’t relying on zero-day exploits or advanced polymorphic malware. Instead, they’re deploying commercially available RMM tools like AnyDesk and Splashtop—software already trusted in IT departments worldwide.
That trust is the vulnerability. Once a user clicks a phishing link and grants installation permission, the RMM client connects to an attacker-controlled server. From there, the attacker has full remote access. Because the traffic looks like normal RMM activity, it blends into the background noise of daily operations.
Over 80 organizations have been impacted so far, according to Dark Reading’s original report. The sectors span healthcare, legal services, and mid-sized manufacturing firms—industries that rely on outsourced IT but may lack advanced endpoint detection.
It’s a brutal irony: tools built to help IT teams manage devices remotely are now the very conduits attackers use to stay inside networks for weeks or months at a time. In fact, a recent survey by Cybersecurity Ventures found that 71% of organizations rely on managed service providers (MSPs) for IT support, which further amplifies the risk.
The campaign has also been described as a “Living-Off-The-Land” (LOTL) attack, where attackers use legitimate tools to gain access and maintain persistence without needing to drop malware. This approach is particularly effective because it’s difficult to distinguish between legitimate and malicious activity, especially when the tools used are trusted and widely adopted.
Why RMM Tools Are the Perfect Cover
RMM platforms are designed for persistence. They run continuously, often with administrative privileges. They initiate outbound connections—which means no inbound firewall holes to raise suspicion. And because they’re used for routine maintenance, their network signatures are rarely scrutinized.
That makes them ideal for LOTL attacks. Attackers don’t need to drop malware that could trigger EDR alerts. They just need a user to install the RMM client—something that’s often allowed under local admin policies for remote support.
Once installed, the attacker can execute commands, move laterally, and exfiltrate data—all through a client that appears fully legitimate. There’s no suspicious process injection. No anomalous PowerShell scripts. Just a clean, signed binary doing exactly what it’s supposed to do—except under someone else’s control.
According to a report by the SANS Institute, RMM tools are often used in LOTL attacks to establish a foothold within a network. The tools are then used to move laterally, gather intelligence, and establish a command and control (C2) channel. This approach is particularly effective because it’s difficult to detect, and the attackers can use the legitimate tools to blend in with the rest of the network traffic.
Phishing That Doesn’t Look Like Phishing
The initial access vector is a phishing email, but it’s not the kind that sets off red flags. These messages don’t contain malicious attachments. Instead, they direct users to download what appears to be a remote support tool—often with lures like “Your invoice is ready” or “IT support needs to connect to your machine.”
The user downloads the RMM client directly from the vendor’s official site. That’s the genius—and the danger. The binary isn’t tampered with. It’s not hosted on a shady domain. It’s the real thing. So when security tools scan it, they see a legitimate application with valid certificates.
And because the download comes from an approved source, many organizations don’t block it. Their policies allow users to install remote support tools. They just never imagined those tools would be turned against them.
A notable example of this is the AnyDesk phishing campaign discovered by the security firm, Volexity. The attackers sent phishing emails to users, directing them to download the AnyDesk client from the vendor’s official site. The emails were convincing enough that many users complied, and the attackers were able to gain remote access to the target network.
The Blind Spot in Enterprise Defense
Most enterprise security stacks are built to detect anomalies—unusual logins, unexpected data transfers, known malware signatures. But this attack doesn’t trigger those alarms.
It’s not anomalous. It’s not malicious in the traditional sense. It’s authorized software being misused.
- RMM clients are often excluded from antivirus scans.
- They’re whitelisted in firewall rules for outbound traffic.
- They don’t generate suspicious DNS queries or beacon to known C2 servers.
- They operate under user-approved execution policies.
That creates a perfect storm. The tools are trusted, allowed, and invisible. And the attackers? They’re sitting inside the network, often for 14 days or more, before anyone notices.
One organization in the report didn’t detect the intrusion until a routine internal audit flagged an unusual remote session from an employee’s machine—after the attacker had already accessed financial records and customer data.
Why Detection Is So Hard
Even with EDR in place, spotting this kind of activity is like finding a needle in a haystack—because the needle looks like hay.
Some signs could tip off a vigilant SOC team: a user installing an RMM tool outside of approved channels, unexpected remote sessions during off-hours, or connections to personal or foreign IP addresses. But without behavioral baselines, those signals get buried.
And many smaller organizations don’t have dedicated security teams. They rely on managed service providers (MSPs) who may use the same RMM tools—blurring the line between legitimate and hostile access.
A study by the Ponemon Institute found that 60% of organizations rely on MSPs for IT support, which further amplifies the risk of LOTL attacks. The study also found that 70% of organizations lack the necessary security expertise to detect and respond to these types of attacks.
The Bigger Picture
This campaign marks a significant shift in the cyber threat landscape. Attackers are moving away from malware-based attacks and toward exploitation of trusted operational software. This approach is particularly effective because it’s difficult to detect, and the attackers can use the legitimate tools to blend in with the rest of the network traffic.
According to a report by the Cybersecurity and Infrastructure Security Agency (CISA), the use of LOTL attacks is on the rise, with 75% of organizations experiencing at least one LOTL attack in the past year. The report also found that 90% of organizations lack the necessary security controls to detect and respond to these types of attacks.
The implications are far-reaching. Organizations must rethink their security strategies and focus on detecting and responding to behavioral anomalies, rather than just relying on traditional signature-based detection methods. They must also implement strong security controls, such as network segmentation and access controls, to prevent attackers from moving laterally within the network.
It’s Not the Tools—It’s How They’re Used
Let’s be clear: this isn’t a flaw in AnyDesk or Splashtop. The vendors didn’t cut corners. Their software is secure when used correctly. The problem is that trusted access is now the attack vector.
That’s a hard shift for security teams to accept. We’ve spent years teaching users not to download unknown files. But now the threat comes from downloading known, safe files—and then being tricked into granting access.
The abuse of RMM tools in this campaign reflects a broader trend: attackers are moving away from malware and toward manipulation of legitimate tools. MITRE ATT&CK lists this under T1213 (Phishing) and T1071 (Application Layer Protocol), but it’s the combination that’s lethal.
Naming the specific tools matters. Because it’s not just “remote access software”—it’s AnyDesk and Splashtop being actively exploited. Organizations using these platforms need to act, not just hope their vendor will patch something that isn’t broken.
What This Means For You
If you’re a developer building or integrating remote access tools, this should scare you. Your software is now a potential backdoor. That means you can’t just focus on encryption or authentication—you have to design for misuse. Can your tool detect suspicious connection patterns? Does it log session metadata in a way that’s useful for forensic analysis? Can admins revoke access remotely the second something looks off?
For technical founders and IT leaders, the lesson is control. You can’t ban RMM tools—they’re essential. But you can restrict who installs them, require multi-factor approval for remote sessions, and monitor for connections to personal accounts or unauthorized servers. Assume that any legitimate tool can be turned against you. Because it just has.
We’ve spent decades hardening the perimeter. But when the enemy walks in through the service entrance, holding a valid badge, we need a new kind of defense—one that watches behavior, not just binaries.
Sources: Dark Reading, The Hacker News, SANS Institute, Ponemon Institute, Cybersecurity and Infrastructure Security Agency
