Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including Action1, ScreenConnect, HeartbeatRM, AnyDesk, Atera, and SimpleHelp, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists.
Huntress also linked a sustained rise in compromises involving Bomgar instances to exploitation of CVE-2026-1731, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to Domain Admins, ran reconnaissance with NetScan and nltest.exe, deployed suspicious drivers such as PoisonX.sys and HRSword.exe, and in several cases launched LockBit or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
Timeline
Apr 17, 2026
Huntress publishes report on surge in Bomgar exploitation
On April 17, 2026, Huntress published findings describing a sustained rise in compromises involving Bomgar RMM instances, likely tied to CVE-2026-1731. The report urged organizations to patch to fixed versions, audit RMM usage, and monitor for unauthorized privileged accounts and suspicious remote access tool execution.
Apr 15, 2026
MSP compromise forces isolation of 78 businesses
On April 15, 2026, a Bomgar-related compromise at an MSP led to the mass isolation of 78 businesses and follow-on exploitation across four customer environments. Huntress observed associated tactics including Domain Admin abuse, reconnaissance with NetScan and nltest.exe, and possible security-tool disabling via PoisonX.sys and HRSword.exe.
Apr 14, 2026
Bomgar-linked ransomware incident impacts three downstream companies
On April 14, 2026, Huntress documented a ransomware event tied to Bomgar exploitation that affected three downstream companies. In multiple incidents, attackers deployed LockBit ransomware or a variant likely built from the leaked LockBit 3.0 builder.
Apr 3, 2026
Second wave of Bomgar exploitation intensifies
Around April 3, 2026, Huntress observed another wave of exploitation targeting outdated Bomgar deployments. The activity included persistence, reconnaissance, unauthorized account creation, and deployment of remote access tools such as AnyDesk, Atera, ScreenConnect, and SimpleHelp.
Feb 12, 2026
First wave of Bomgar exploitation activity begins
Beginning around February 12, 2026, Huntress observed a wave of compromises involving vulnerable Bomgar instances. Attackers used access to enter victim networks, pivot into downstream customer environments, and establish persistence.
Feb 1, 2026
BeyondTrust discloses critical Bomgar RCE flaw CVE-2026-1731
In February 2026, BeyondTrust disclosed the critical remote code execution vulnerability CVE-2026-1731 affecting Bomgar/Remote Support-related deployments. Huntress later linked a sustained rise in Bomgar compromises to exploitation of this flaw against outdated instances.
Jan 31, 2026
RMM abuse campaigns continue through January 2026
Through January 2026, Huntress continued to observe campaigns abusing legitimate RMM software, including cases where actors used LLM-generated scripts for infostealing and deployment despite generally low technical maturity. Huntress also gained direct visibility into attacker workflows after some threat actors signed up for the Huntress platform itself.
Dec 1, 2025
Threat actors begin daisy-chaining legitimate RMM tools in campaigns
From December 2025, Huntress observed mostly low-skill threat actors chaining signed remote management tools such as Action1, ScreenConnect, and HeartbeatRM to gain persistence, fragment telemetry, steal credentials, and hinder detection. The campaigns also used phishing lures, GitHub-hosted payloads, Cloudflare-protected delivery sites, and MSI installers.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Surge in Cyberattacks Leveraging RMM Tools for Malware Deployment
Cybercriminals have increasingly targeted remote monitoring and management (RMM) tools to deploy malware and conduct large-scale cyberattacks. In 2025, attacks on RMM tools surged, with 51 different solutions identified as targets by security researchers. RMM tools, which became more prevalent during the COVID-19 pandemic to support remote work, are now being weaponized by threat actors due to their deep integration into enterprise IT environments. These tools, such as SuperOps and TeamViewer, are commonly used by IT professionals and managed service providers (MSPs) to remotely monitor, manage, and maintain client systems through centralized dashboards. Adversaries exploit these platforms by obtaining authenticated credentials, allowing them to bypass traditional security alerts and alarms. Once inside, attackers can disable scheduled backups, destroy system images and restore points, and push ransomware or other malicious payloads to thousands of endpoints simultaneously. The legitimate appearance of RMM tool traffic often allows malicious activity to evade anomaly detection systems, creating a persistent blind spot for network defenders. The elevated permissions typically granted to RMM platforms enable attackers to escalate privileges, move laterally within networks, and deliver malware efficiently. Compromising an MSP’s RMM infrastructure can have a supply chain effect, enabling attackers to pivot into multiple client environments and significantly amplifying the potential impact. This method of attack not only increases the blast radius but also enhances the monetization opportunities for cybercriminals. Security experts warn that the widespread use and trust in RMM tools make them an attractive and effective vector for cyberattacks. Organizations are urged to implement stronger authentication, monitor RMM tool usage closely, and restrict access to minimize risk. The trend highlights the need for enhanced vigilance and updated security controls around remote access and management solutions. The attacks demonstrate how tools designed for convenience and efficiency can become significant liabilities if not properly secured. The ongoing exploitation of RMM tools underscores the evolving tactics of cybercriminals in targeting trusted IT infrastructure. As attackers continue to refine their methods, defenders must adapt by prioritizing the security of remote management platforms. The surge in RMM tool exploitation serves as a stark reminder of the importance of supply chain security and the risks posed by third-party service providers. Organizations should review their incident response plans to ensure rapid detection and containment of attacks involving RMM platforms. The cybersecurity community continues to monitor this threat landscape, emphasizing the critical need for proactive defense measures.
1 months ago
Ransomware operators abuse legitimate remote administration tools and exploit SmarterMail flaws for initial access and persistence
**Ransomware activity is increasingly blending into normal IT operations** by combining exploitation of internet-facing software with the use of legitimate remote access and monitoring tools. Huntress reported multiple intrusions tied to the **Crazy** ransomware gang where attackers deployed *Net Monitor for Employees Professional* and the *SimpleHelp* remote support client to maintain persistence, evade detection, and stage for ransomware deployment. The actors installed the monitoring agent via `msiexec.exe` directly from the vendor site, then used it for interactive control (desktop viewing, file transfer, command execution); they also added redundant access by installing SimpleHelp via PowerShell and disguising binaries with benign-looking names (e.g., `vshost.exe`) and paths such as `C:\ProgramData\OneDriveSvc\OneDriveSvc.exe`. In parallel, ransomware groups have been observed **actively exploiting recently patched SmarterTools SmarterMail vulnerabilities** that enable unauthenticated compromise of mail servers. SC Media reported that CISA added **CVE-2026-24423** to the KEV catalog after it was linked to ransomware campaigns; the flaw enables unauthenticated RCE via SmarterMail’s `ConnectToHub` API by delivering a malicious OS command from a remote server. A second issue, **CVE-2026-23760**, allows authentication bypass through the password reset API (`force-reset-password`) by not validating the old password; ReliaQuest attributed active exploitation of this weakness to a China-based actor tracked as **Storm-2603**, which reportedly chained the bypass with SmarterMail’s *Volume Mount* feature to reach RCE, activity assessed as staging consistent with **Warlock** ransomware operations (even when ransomware was not yet deployed).
1 months ago
Threat Actors Expand Remote Monitoring and Management Abuse With Fake RMM Malware
Proofpoint reported a new **malware-as-a-service (MaaS)** offering that masquerades as a legitimate remote monitoring and management (RMM) product, branding itself as **TrustConnect** (delivered as “TrustConnect Agent”). Proofpoint assessed with *moderate confidence* that the actor behind TrustConnect was also a prominent user of **Redline stealer**, and said it worked with intelligence partners to disrupt parts of the malware’s infrastructure; the actor quickly showed resilience by standing up another fake RMM-themed site advertising a related malware variant called **DocConnect**. Proofpoint highlighted that attackers continue to favor RMM-style tooling for initial access and post-compromise control because it blends into normal enterprise remote support activity. Separately, Dark Reading summarized findings from Huntress’ 2026 Cyber Threat Report indicating a broad surge in **RMM abuse** as an intrusion strategy, citing a **277% year-over-year increase** in malicious RMM deployments and a corresponding decline in traditional malware usage. The report described RMM tooling as attractive to threat actors for stealth, persistence, and operational efficiency, and noted commonly abused products including **ConnectWise ScreenConnect**, **AnyDesk**, **Atera**, **NetSupport**, **PDQ Connect**, and **Splashtop**, with healthcare and technology seeing the largest increases. Together, the reporting underscores both the industrialization of RMM abuse and the emergence of purpose-built “fake RMM” malware offerings designed to look like enterprise remote support software.
1 months ago