Remote Monitoring and Management (RMM) tools are a vital part of modern IT operations. They help organizations increase efficiency, reduce costs, and manage endpoints remotely. Unfortunately, threat actors have also recognized their value. Over the past year, attackers have increasingly abused both legitimate and rogue RMM tools to gain access, maintain persistence, and execute malicious actions in victim environments.

Recent incidents observed by Huntress highlight a concerning trend: multi-stage attack chains that involve the use of multiple RMM tools, including ScreenConnect, GoTo Resolve, SimpleHelp, TeamViewer, and more. These campaigns often start with phishing or social engineering, then pivot to deploying secondary (or even tertiary) RMMs to ensure that threat actors retain access even if the first tool is removed.

ThreatSTOP’s proactive protections are specifically designed to prevent this type of activity before attackers can establish a foothold in your environment. Our customers frequently report attempts at “shadow IT” access, and AnyDesk consistently ranks as the most common target.

The Growing Threat of Rogue RMMs

Huntress research shows that threat actors are increasingly chaining RMMs for layered persistence. A common attack sequence involves:

  1. Phishing lure leading to the initial RMM installation (e.g., GoTo Resolve).
  2. Secondary RMM deployment (e.g., ScreenConnect or SimpleHelp) for redundant access.
  3. Persistence mechanisms such as scheduled tasks or “living off the land” techniques.
  4. Command-and-control communications to attacker-controlled infrastructure for long-term compromise.

Some notable patterns include:

  • GoTo Resolve → ScreenConnect: Attackers first install a disguised GoTo Resolve client, then use it to deploy ScreenConnect for secondary access.  
  • PDQ → SimpleHelp: Threat actors leverage PDQ to push malicious SimpleHelp instances.  
  • Chained RMM Installations: In some cases, attacks involve three layers of RMMs, ensuring that even if one is removed, others remain active.  

These attacks are dangerous because rogue RMMs can appear legitimate, making it difficult for traditional monitoring to distinguish between authorized and malicious activity.

How ThreatSTOP Blocks Rogue ScreenConnect and RMM Abuse

ThreatSTOP provides Protective DNS and IP-based protections that can prevent rogue RMM activity before it impacts your network:

  • DNS Defense Cloud and DNS Defense block malicious domains used by ScreenConnect and SimpleHelp instances for command-and-control, as well as in this case, the phishing domains themselves.  ThreatSTOP neutralizes this entire chain of attacks.
  • IP Defense stops outbound connections to attacker-controlled IP addresses, cutting off data exfiltration and remote access attempts.  

Our Security, Intelligence, and Research team continuously monitors for threats like:

  • Command-and-control infrastructure for rogue RMMs  
  • Malicious executables and phishing lures delivering RMM installers  
  • Abuse of RMM free trial domains or recently registered domains used in attacks
  • We also have software that monitors the rate of change in RMM software on a customer network.  If there is a sudden increase in the amount, sometimes this indicate a rogue installation. 

By applying ThreatSTOP’s proactive protections across your DNS and network infrastructure, you can prevent these threats even if an endpoint is tricked into running a rogue installer.

Take Control of Your RMM Security Today

Proactive protection is critical in an age where attackers exploit the very tools you trust. ThreatSTOP provides comprehensive coverage for ScreenConnect and other abused RMM platforms, reducing your risk of compromise and persistence-based attacks.  Allow the RMMs you authorize on your network, and block the rest.

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

Connect with Customers, Disconnect from Risks

MITRE ATT&CK Mapping for Rogue RMM Coverage

Tactic

Technique

ThreatSTOP Mitigation

Initial Access

T1566.001: Phishing Attachment

Blocks malicious domains via DNS/IP Defense

Execution

T1204.002: User Execution of Malicious File

Disrupts download of rogue RMM installers

Persistence

T1053: Scheduled Task Creation

Stops C2 communications for persistence

Command and Control

T1071.004: Application Layer Protocol (Web)

Blocks ScreenConnect and SimpleHelp C2 traffic

Exfiltration & Lateral Move

T1041: Exfiltration Over C2 Channel

Cuts off outbound traffic to attacker servers