Threat actors are exploiting Remote Monitoring and Management (RMM) tools to gain control of systems and extract sensitive information.

Cybercriminals are increasingly exploiting Remote Monitoring and Management (RMM) software to gain unauthorised access to corporate systems. A sophisticated new attack campaign demonstrates how legitimate IT tools can become powerful weapons in the wrong hands. This emerging threat leverages the inherent trust placed in RMM solutions, transforming essential administrative software into conduits for data theft and potential ransomware deployment. The latest attack campaign employs a dual-RMM strategy that significantly enhances attacker persistence and control. By deploying both Atera and Splashtop Streamer simultaneously, threat actors ensure continued access even if one RMM tool is discovered and removed by security teams. This redundancy represents a concerning evolution in attack methodology, where cybercriminals prioritise maintaining long-term access over stealth.

The attack begins with a carefully crafted phishing email sent from compromised Microsoft 365 accounts to undisclosed recipient lists. These messages impersonate Microsoft OneDrive notifications, complete with authentic-looking Word document icons and privacy footers to establish legitimacy. The emails contain malicious links hosted on Discord’s Content Delivery Network (cdn.discordapp.com), exploiting the platform’s reputation as a trusted service to bypass initial security filters. Sublime Security researchers identified this campaign through their AI-powered detection engine, which flagged multiple suspicious indicators, including file extension manipulation and OneDrive impersonation tactics. The attack’s infection mechanism demonstrates advanced evasion techniques through file extension manipulation. Victims receive links to what appears to be a .docx document but actually downloads a file named Scan_Document_xlsx.docx.msi. This double extension technique exploits user expectations while hiding the executable nature of the payload. Upon execution, the malicious MSI package initiates a multi-stage installation process, with the Atera Agent installing through an attended process that requires user interaction. Simultaneously, two silent installations occur in the background: Splashtop Streamer and Microsoft .NET Runtime 8. These components download directly from their respective legitimate sources, generating network traffic that appears entirely benign to security monitoring systems. The attack’s sophistication lies in its use of legitimate infrastructure for payload delivery.