RMM Abuse Explodes as Hackers Ditch Malware

Steven

RMM Abuse Explodes as Hackers Ditch Malware

Summary

Huntress’s 2026 Cyber Threat Report highlights a dramatic shift: attackers are increasingly abusing remote monitoring and management (RMM) tools instead of deploying traditional malware. RMM abuse rose 277% year-on-year, with healthcare and technology sectors seeing the biggest upticks. Threat actors favour RMM because it blends with legitimate admin activity, providing stealth, persistence and operational efficiency.

Key Points

  • RMM abuse jumped 277% year-on-year, per Huntress’s 2026 report.
  • Traditional malware usage fell sharply — conventional hacking tools down ~53%; RATs and malicious scripts also declined.
  • Commonly abused products include ScreenConnect (ConnectWise), AnyDesk, Atera, NetSupport, PDQ Connect and SplashTop.
  • Attackers now use RMMs as a unified control hub for command-and-control, credential theft and attack-path redundancy, not just malware delivery.
  • Healthcare and technology industries saw the largest increases in RMM-based intrusions.
  • Detection is hard because malicious actions can mimic legitimate administrative behaviour; telemetry and identity alerts are vital early signals.
  • Mitigations: tighten restrictions on RMM binaries, implement allowlists, monitor identity/geolocation anomalies, and pressure vendors to surface richer telemetry and block abuse.

Content Summary

Researchers observed attackers pivoting from dropping malware to living-off-the-land tactics that exploit enterprise-grade admin tools already present in networks. Instead of using malware as the primary foothold, threat actors deploy or hijack RMM agents and run their operations through those legitimate channels. The report notes specific tool preferences for different tasks (for example, ScreenConnect for credential harvesting and NetSupport for rapid staging).

Post-compromise activity shows RMM telemetry can strongly indicate the likely attack path, giving defenders useful signals — if they collect and act on that telemetry. However, many organisations run RMM binaries with few restrictions, making it easy for adversaries to blend in.

Context and Relevance

This trend is part of a broader move to living-off-the-land techniques that exploit trusted software to evade detection. For defenders, it means traditional antivirus and signature-based controls are less effective; security teams must assume attackers may use legitimate admin tools and focus on telemetry, identity analytics and strict control of management binaries.

The shift also raises questions of vendor responsibility: RMM developers can and should provide richer signals and controls to reduce abuse. Organisations, meanwhile, need tighter allowlisting, network restrictions, multi-factor authentication and monitoring for abnormal admin behaviour (such as logins from unusual geographies or through residential proxies).

Why should I read this?

Because if you look after networks, endpoints or security ops, this is the new headache you can’t ignore. Attackers are skipping the noisy malware stage and hiding inside tools you already trust — so your usual alerts might not catch them. Read this to get the essentials fast and tweak controls before you become next on the list.

Source

Source: https://www.darkreading.com/application-security/rmm-abuse-explodes-hackers-ditch-malware