Detection of Recent RMM Distribution Cases Using AhnLab EDR

AhnLab SEcurity intelligence Center (ASEC) has recently observed an increase in attack cases exploiting Remote Monitoring and Management (RMM) tools. Whereas attackers previously exploited remote control tools during the process of seizing control after initial penetration, they now increasingly leverage RMM tools even during the initial distribution phase across diverse attack scenarios. This article covers recently identified RMM exploitation cases and detection methods using AhnLab EDR.

 

1. Threat Monitoring Using EDR

RMM tools enable remote control of installed systems and are legitimate tools used by organizations for legitimate purposes. Precisely because they enable remote system control, attackers exploit them to seize control of infected systems, much like backdoors or RAT malware. It’s worth noting that RMM tools also offer the advantage of bypassing security product detection. Unlike typical malware, security products like antivirus face limitations in simply detecting and blocking these tools. Consequently, it’s necessary to monitor and respond to suspicious behavior using EDR.

AhnLab EDR (Endpoint Detection and Response) is a next-generation endpoint threat detection and response solution. It provides robust threat monitoring, analysis, and response capabilities for the endpoint domain, based on Korea’s only behavior-based analysis engine. AhnLab EDR continuously collects information on suspicious behaviors by type, enabling users to accurately recognize threats from a detection, analysis, and response perspective. This allows for comprehensive analysis to identify root causes, establish appropriate responses, and implement recurrence prevention processes.

 

2. Examples of Malware Disguised as Legitimate Software

ASEC Blog “Distribution of Malware Abusing LogMeIn and PDQ Connect” [1] addressed cases exploiting LogMeIn and PDQ Connect tools. LogMeIn was distributed disguised as legitimate programs, impersonating not only Notepad++ and 7-zip but also Telegram, ChatGPT, OpenAI, and others.

Users likely downloaded LogMeIn Resolve from malicious download pages via ad pages disguised as legitimate software. These websites are disguised as download pages for free utilities like Notepad++ and 7-zip, but actually download the attacker’s LogMeIn Resolve.

Figure 1. Disguised utility download page

 

LogMeIn Resolve is an RMM tool supporting functions like remote support, patch management, and monitoring. When users install LogMeIn, it registers with LogMeIn’s infrastructure, potentially allowing attackers to seize control. Attackers exploited LogMeIn to execute PowerShell commands and install the backdoor malware PatoRAT.

Note that PatoRAT was also installed via PDQ Connect, not just LogMeIn Resolve. PDQ Connect is an RMM tool similar to LogMeIn Resolve, providing functions like software package distribution, patch management, inventory, and remote control. Attackers induced installation of PDQ Connect and then exploited it in the same manner as LogMeIn Resolve to install PatoRAT.

Figure 2. Malware installation log using PDQ Connect

AhnLab EDR detects the execution of LogMeIn and PDQ Connect on the system as a threat, helping administrators recognize this activity proactively.

Figure 3. Detection of LogMeIn execution behavior using AhnLab EDR

Figure 4. Detection of PDQ Connect execution behavior using AhnLab EDR

 

3. Phishing Attack Cases Disguised as Legitimate Documents

ASEC Blog “RMM Tools (Syncro, SuperOps, NinjaOne, etc.) Being Distributed Disguised as Video Files” [2] discussed cases where various remote management tools were distributed via phishing emails. The PDF document files used in the attacks had names containing keywords like “Invoice,” “Product Order,” and “Payment.” When attempted to be opened, they displayed a high-resolution preview that was impossible to view, instead prompting the user to click a Google Drive link.

Figure 5. Figure 2. PDF malware used in the attack

The malware distributed through these attacks is an RMM tool named Syncro. Syncro RMM is a remote monitoring and management tool for Managed Service Providers (MSPs) and IT teams, developed by Chaos [3], Royal [4] , as well as the Iranian APT threat group MuddyWater [5] .

Figure 6. Syncro’s homepage

Looking at malware signed with the same certificate, various other RMM tools have also been exploited since October 2025. ScreenConnect is an RMM/remote support solution providing remote access and screen control capabilities, enabling troubleshooting and maintenance. ScreenConnect is also being exploited by various attackers, such as the ransomware attackers ALPHV/BlackCat [6], Hive [7], among others.

Figure 7. Certificate used in malware signatures

Additionally, NinjaOne and SuperOps exist. NinjaOne is a cloud-based RMM solution for remotely monitoring and managing corporate IT infrastructure. It supports functions such as remote access, patch and software deployment, performance monitoring, and IT asset management. SuperOps is also a cloud-based RMM/PSA integrated solution targeting MSPs (Managed Service Providers), supporting functions like remote access, asset and patch management, and monitoring.

AhnLab EDR detects the execution of RMM tools identified in phishing attack cases—namely Syncro, ScreenConnect, NinjaOne, and SuperOps—as threats, helping administrators recognize them proactively.

Figure 8. Detection of Syncro execution behavior using AhnLab EDR

Figure 9. Detection of ScreenConnect execution behavior using AhnLab EDR

Figure 10. Detection of NinjaOne execution behavior using AhnLab EDR

Figure 11. Detection of SuperOps execution behavior using AhnLab EDR

 

4. Conclusion

Users should verify the official website when downloading utilities and inspect the version information or certificates of downloaded files to confirm they are the intended installation files. Extra caution is required when viewing emails from unverified sources. It is crucial to verify the sender’s trustworthiness and avoid opening suspicious links or attachments. Additionally, operating systems and security products must be updated to the latest versions to protect against known threats. 

 

[Behavior Diagnosis]

• Execution/EDR.LogMeIn.M12839
• Execution/EDR.PDQConnect.M12920
• Execution/EDR.Syncro.M13384
• Execution/EDR.ScreenConnect.M11766
• Execution/EDR.Ninja.M13400
• Execution/EDR.SuperOps.M13399