RMM Tools (Syncro, SuperOps, NinjaOne, etc.) Being Distributed Disguised as Video Files
AhnLab SEcurity intelligence Center (ASEC) recently discovered cases of attacks using RMM tools such as Syncro, SuperOps, NinjaOne, and ScreenConnect. Threat actors distributed a PDF file that prompted users to download and run the RMM tool from a disguised distribution page such as Google Drive. The certificate used to sign the malware shows that the threat actor has been performing similar attacks since at least October 2025.
1. PDF Malware
While the initial distribution method is unknown, the PDF files used in the attacks are named with keywords like “Invoice,” “Product Order,” and “Payment.” It is presumed that these files were distributed through email attachments in a phishing email.
| Name |
|---|
| Defective_Product_Oder.pdf |
| Defective_Product_OrderID2342-22235-22375.pdf |
| Defective Product Oder# 141-8912-3411.pdf |
| Defective Product Oder #922-1206-9847.pdf |
| Help_Product.pdf |
| Invoice_Details.PDF |
| Product.pdf |
| product_view.pdf |
| video_payment_error.pdf |
Table 1. Names of the distributed PDF documents
When the PDF document is executed, the following screen is displayed. The high quality image makes it impossible to see the preview, and instead, users are prompted to click on the Google Drive link. Alternatively, the message “Failed to load PDF document” is displayed, and users are redirected to the “adobe-download-pdf[.]com” website. This indicates that the threat actor is impersonating Adobe to make users believe they are downloading a legitimate PDF file.
Figure 1. The PDF malware used in the attack – 1
Figure 2. PDF malware used in the attack – 2
As of now, the link is accessible and it leads to a page disguised as Google Drive, showing the name “Video_recorded_on_iPhone17.mp4.” Users may mistake this for downloading a video file. The name of the downloaded file is also in the format “Video_recorded_on_iPhone17.mp4 Drive.google.com,” disguising it as an MP4 video file.
Figure 3. Screen of the Google Drive phishing page
2. RMM
2.1. Syncro RMM
Syncro RMM is a remote monitoring and management tool for Managed Service Providers (MSPs) and IT teams. These Remote Monitoring and Management (RMM) tools can be used for legitimate purposes by organizations, allowing remote control of the systems they are installed on. However, as they are not malware like backdoors or Remote Access Trojans (RATs), threat actors are increasingly leveraging them. This is because these tools have been designed to evade detection by security products like firewalls and anti-malware solutions, which are limited to simply detecting and blocking known malware strains.
Figure 4. Syncro’s website
A case of malware distribution using LogMeIn and PDQ Connect, remote control tools and RMM solutions, was reported in November 2025. [1] Syncro has also been used by various threat actors in the past, including the ransomware operators Chaos [2] and Royal [3], as well as the Chinese APT group MuddyWater [4].
The downloaded malware is an installer created with Advanced Installer, which installs Syncro on the infected system when executed. While this threat is no longer valid at the time of writing, it was distributed signed with a valid certificate.
Figure 5. Certificate used to sign the malware
While the specific details are not known, values such as “key” and “customerid” are used in the execution parameters during the installation process. These are likely information that can identify the user (and threat actor) like other RMM tools. Given that several Syncro installation files with the same key and customer ID were distributed intensively in the second half of 2025, it is likely that the same threat actor is responsible.
| Item | Value |
|---|---|
| Key | yK0UAOaHHwdbYDOp_sr51w |
| Customer ID | 1709830 |
Table 2. Syncro RMM configuration information
Figure 6. Process tree when Syncro RMM is installed
2.2. ConnectWise ScreenConnect
Looking at the malware samples signed with the same certificate, it can be seen that various RMM tools have been exploited since October 2025. ScreenConnect is an RMM and remote support solution that provides remote access and screen control features for tasks such as disaster response and maintenance. It is being exploited by various threat actors, including ransomware groups such as ALPHV/BlackCat [5] and Hive [6].
Figure 7. Process tree when ScreenConnect is installed
2.3. NinjaOne, SuperOps
Other malware strains signed with the same certificate include NinjaOne and SuperOps. NinjaOne is a cloud-based RMM solution used for remotely monitoring and managing a company’s IT infrastructure. It offers features such as remote access, patch and software deployment, performance monitoring, and IT asset management. SuperOps is also a cloud-based RMM/PSA integrated solution designed for MSPs (Managed Service Providers). It offers features such as remote access, asset and patch management, and monitoring.
Figure 8. SuperOps website
2.4. Downloader
Among the malware strains signed with the certificate, there are not only RMM installers but also downloaders. The downloader is developed with NSIS, and the internal NSI script contains a command to download additional payloads. The address in question has a history of distributing NinjaOne RMM in the past, and the malicious script also contains the keyword “NinjaOne.”
Figure 9. NSIS installer for installing NinjaOne RMM
3. Conclusion
When opening emails from unknown sources, users must be extra cautious. It is important to verify if the sender is trustworthy and to not open suspicious links or attachments. Users should also update their operating system and security products to the latest version to protect themselves from known threats.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
