Remote Access Tools entered the Picus Red Report 2026 Top 10 for the first time since 2023. Arctic Wolf's 2025 Threat Report found that 59.4% of ransomware cases began with external remote access, and RMM tools appeared in 36% of incident response cases in a single quarter. Barracuda observed an uptick in RMM-based campaigns throughout 2025, with 32 different RMM tools identified in malicious use by Arctic Wolf.
T1219 maps to the Command and Control tactic. What makes it uniquely dangerous is that the "malicious" tool is not malicious at all — it is a legitimate, vendor-signed, commercially licensed application that organizations intentionally install, configure, and allowlist. Traditional malware triggers EDR alerts, trips antivirus signatures, and generates network anomalies. An RMM tool does none of these things because it is explicitly trusted by every layer of the security stack.
The technique's return to the top ten reflects a broader adversary strategy of "living off trusted tools." When attackers can install AnyDesk with a silent command, set it to start at boot, configure an unattended access password, and use it as their primary C2 channel — all without triggering a single alert — the economics of custom malware development no longer make sense. The legitimate tool provides everything the attacker needs: remote desktop control, file transfer, command execution, and persistence across reboots.
How RMM Tool Abuse Works
The attack pattern follows one of three models depending on how the attacker obtains access to the RMM tool:
Install-your-own. After gaining initial access through phishing, exploitation, or another technique, the attacker downloads and silently installs an RMM tool on the compromised endpoint. A typical silent installation command for AnyDesk looks like: AnyDesk.exe INSTALL=C STARTWITHWINDOWS=1 SILENT=1. The tool is then configured for unattended access with a preset password. This gives the attacker a persistent, signed, allowlisted C2 channel that survives reboots and blends with normal IT traffic.
Hijack-existing. If the target organization already uses RMM tools, the attacker compromises the RMM instance itself — either by exploiting vulnerabilities in the RMM server (like the critical ScreenConnect authentication bypass CVE-2024-1709 scored at CVSS 10, or the more recent CVE-2025-3935 arbitrary code execution) or by credential-stuffing RMM admin accounts. A compromised RMM server gives the attacker control over every managed endpoint without deploying anything new.
Social engineering delivery. The attacker convinces the victim to install the RMM tool themselves. Black Basta ransomware operators have perfected this approach: they spam the target with legitimate newsletter signup emails causing disruption, then call the user pretending to be IT support and persuade them to install AnyDesk to "fix the problem." Fake Zoom meeting invitations are another common delivery mechanism, where the phishing link downloads an RMM installer instead of the expected application.
Sub-Techniques
MITRE ATT&CK v18 defines three sub-techniques under T1219, reflecting the evolution from purely software-based remote access to include physical hardware:
T1219.001 — Remote Access Software (CLI-based)
Command-line remote management tools and protocol tunneling via development or management utilities. This includes SSH tunneling, reverse shells over legitimate protocols, and command-line remote administration tools that provide shell access without a graphical interface. These tools are harder to detect visually since there is no desktop session to observe.
T1219.002 — Remote Desktop Software
Graphical remote desktop tools that transmit display output, keyboard input, and mouse control between devices. This is the sub-technique where the major RMM platform abuse occurs. The tools most commonly abused include:
| Tool | Adversary Use |
|---|---|
| AnyDesk | The historically dominant tool for malicious RMM use. Silent installation as a service, unattended access password configuration, and file transfer for data exfiltration. Used by Medusa, Akira, LockBit, Black Basta, Karakurt, and RagnarLocker. Becoming easier to detect, causing attacker migration to alternatives. |
| ConnectWise ScreenConnect | Gaining traction among adversaries as AnyDesk detection improves. Stores chat data in memory rather than files (requiring memory forensics for recovery), supports custom installers with unique deployment URLs, and offers REST API integration for automated operations. Critical vulnerabilities (CVE-2024-1709, CVE-2025-3935) have been actively exploited. |
| TeamViewer | Long history of abuse dating back to state-sponsored campaigns. Used by MuddyWater/Static Kitten targeting UAE and Kuwait government agencies, and by cybercrime groups for persistent access. |
| Atera | Cloud-based RMM with agent deployment capabilities. APT groups have abused Atera's management features for post-exploitation control. |
| Splashtop / LogMeIn / Ammyy Admin | Additional RMM platforms observed in ransomware and cybercrime operations, often installed as secondary or backup access channels. |
T1219.003 — Remote Access Hardware
For the first time, Remote Access Tools have gone physical. The Picus Red Report 2026 documented DPRK operatives using IP-KVM devices like PiKVM to control massive laptop farms at the hardware level, completely below the operating system where EDR cannot see.
This sub-technique represents a fundamental escalation in T1219 tradecraft. IP-KVM (Keyboard, Video, Mouse over IP) devices connect directly to a computer's HDMI and USB ports, providing BIOS-level remote control that operates entirely below the operating system layer. Because the access occurs at the hardware level, endpoint detection and response (EDR) tools, antivirus software, and operating system-level security controls are completely blind to the intrusion. The operating system cannot distinguish between a local user typing on a physical keyboard and an IP-KVM device injecting keystrokes remotely.
DPRK operatives have been documented using this technique to control laptop farms — collections of devices running under assumed identities to generate fraudulent employment income for the North Korean regime. By using IP-KVM devices, the operatives can manage dozens of laptops simultaneously from a remote location while each device appears to have a local, physically present user. This represents the convergence of physical insider threats with remote access tradecraft, creating an attack vector that exists in a security blind spot between physical access controls and endpoint security.
Why RMM Abuse Is So Effective
Trusted by design. RMM tools are signed by legitimate vendors, often explicitly allowlisted in application control policies, and their network traffic uses encrypted channels that security tools are configured to trust. When AnyDesk traffic flows through the network, it looks identical whether an IT admin or an attacker is behind it.
Full-featured C2 out of the box. A single RMM tool provides everything an attacker needs for post-exploitation operations: interactive remote desktop control, file upload and download (for payload delivery and data exfiltration), command execution, clipboard access, and session recording — all through a stable, reliable, commercially supported application.
Persistence built in. RMM tools are designed to survive reboots and maintain continuous connectivity. When installed as a service with unattended access configured, the tool provides persistent C2 without the attacker needing to implement any additional persistence mechanism. If incident responders remove one backdoor, the RMM tool remains as a secondary access path.
Scale across infrastructure. Organizations running managed service provider (MSP) RMM platforms may have thousands of endpoints under a single administrative console. Compromising that console gives the attacker simultaneous access to every managed endpoint — the same leverage model that made the Kaseya VSA supply chain attack so devastating.
Real-World Case Studies
Black Basta — Social Engineering to RMM Installation
Black Basta ransomware operators developed a sophisticated social engineering pipeline to trick users into installing RMM tools. The attack begins with mass-subscribing the target's email address to legitimate newsletters, creating a flood of unexpected emails. The operators then call the target, impersonating IT support, and explain that the email flood is caused by a "system issue" they can fix remotely. The victim is guided to download and install AnyDesk (or ScreenConnect in later campaigns), and once access is established, the operators deploy Cobalt Strike, harvest credentials, and move laterally toward domain compromise and ransomware deployment.
ScreenConnect Exploitation — CVE-2024-1709
In February 2024, ConnectWise disclosed a critical authentication bypass vulnerability in ScreenConnect (CVE-2024-1709, CVSS 10.0) that allowed attackers to create administrative accounts on any exposed ScreenConnect server. The vulnerability was immediately exploited in the wild by ransomware groups who used compromised ScreenConnect instances to deploy payloads to every managed endpoint. This attack demonstrated the amplification risk of RMM compromise: a single vulnerable server provided access to thousands of endpoints. A subsequent vulnerability (CVE-2025-3935) in April 2025 continued the pattern, with Barracuda confirming that organizations were still running unpatched versions months after the fix was available.
DPRK IT Worker Fraud — IP-KVM Laptop Farms
North Korean operatives, operating under assumed identities, have obtained remote employment positions at technology companies and used IP-KVM devices to control assigned laptops from DPRK-controlled facilities. The IP-KVM hardware connects to the laptop's HDMI output and USB input, providing full remote control at the hardware level. Because the access occurs below the operating system, endpoint monitoring tools installed by the employer see only normal local user activity. The laptops appear to be operated by a person sitting in front of them when they are in fact controlled from thousands of miles away. This operation generates revenue for the DPRK regime while providing potential access to proprietary code, internal systems, and sensitive data at the employing organization.
MuddyWater / Static Kitten — State-Sponsored RMM Abuse
The Iranian state-linked threat group MuddyWater (also tracked as Static Kitten and Earth Vetala) has extensively used legitimate remote access tools — including ScreenConnect, Atera, and SimpleHelp — in campaigns targeting government agencies in the UAE, Kuwait, and other Middle East nations. Rather than developing custom C2 infrastructure, the group relies on commercially available RMM tools for post-exploitation operations, file exfiltration, and lateral movement. This strategy reduces development costs, avoids the need to maintain custom infrastructure, and generates traffic that blends with legitimate administrative activity in the target environment.
Medusa Ransomware — RMM as a Persistence Layer
CISA's March 2025 advisory on Medusa ransomware documented the group installing AnyDesk as a service to maintain persistent network access alongside traditional backdoors. By configuring AnyDesk for silent, unattended operation and creating a dedicated local administrator account to manage the installation, the operators ensured that even if their primary malware was detected and removed, the RMM-based access channel remained available. NCC Group's analysis confirmed that this layered persistence model — combining RMM tools with registry run keys and scheduled tasks — "frustrates remediation efforts" and is now standard practice across multiple ransomware groups.
Detection Strategies
Detecting malicious RMM use requires distinguishing between authorized and unauthorized installations, sessions, and network connections. This is fundamentally a policy-enforcement and behavioral-anomaly problem rather than a signature-matching problem.
Key Data Sources
| Source | What to Monitor |
|---|---|
Sysmon 1 | Process creation — detect installation of RMM tools (AnyDesk.exe, ScreenConnect.ClientService.exe, TeamViewer.exe) from unexpected parent processes or with silent-install flags |
Sysmon 3 | Network connections — RMM tools connect to vendor relay infrastructure (*.net.anydesk.com, *.screenconnect.com). Connections from unauthorized installations indicate compromise |
Sysmon 11 | File creation — detect RMM installer downloads and configuration file creation in unexpected locations |
7045 | Service installation — RMM tools installed as services generate Event ID 7045. Alert on unexpected service names associated with known RMM products |
| DNS logs | DNS queries to RMM vendor relay domains from endpoints that should not have RMM installed |
| Network flow | Outbound connections to RMM vendor IP ranges from non-IT-managed endpoints, especially connections to unusual TLDs (.ru, .icu, .xyz) that may indicate compromised ScreenConnect instances |
Detection Queries
Maintain an inventory of authorized RMM tools and the specific endpoints they are installed on. These queries detect RMM presence on non-authorized systems.
Unauthorized RMM Tool Installation — Detects execution of known RMM installers on endpoints not in the authorized RMM deployment list:
index=sysmon EventCode=1 | where (Image="*\\AnyDesk.exe" OR Image="*\\ScreenConnect*" OR Image="*\\TeamViewer*" OR Image="*\\Atera*" OR Image="*\\Splashtop*" OR Image="*\\SimpleHelp*") | lookup authorized_rmm_hosts.csv Computer OUTPUT authorized | where isnull(authorized) | table _time, Computer, User, ParentImage, Image, CommandLine
Silent RMM Installation with Persistence Flags — Detects RMM tools installed silently with unattended access configuration, the hallmark of malicious deployment:
index=sysmon EventCode=1 | where (CommandLine="*SILENT*" OR CommandLine="*VERYSILENT*" OR CommandLine="*--silent-install*") | where (CommandLine="*AnyDesk*" OR CommandLine="*ScreenConnect*" OR CommandLine="*TeamViewer*") | table _time, Computer, User, ParentImage, CommandLine
RMM Network Connections from Non-Authorized Endpoints — Monitors for outbound connections to known RMM relay infrastructure from unauthorized systems:
index=dns | where (query="*.anydesk.com" OR query="*.screenconnect.com" OR query="*.teamviewer.com" OR query="*.atera.com") | lookup authorized_rmm_hosts.csv src_host AS host OUTPUT authorized | where isnull(authorized) | stats count by host, query
Known Threat Actors Using T1219
| Actor / Group | RMM Tools Abused |
|---|---|
| Black Basta | AnyDesk and ScreenConnect via social engineering phone calls following email bombing |
| Medusa Ransomware | AnyDesk installed as a service for persistent backdoor access alongside primary malware |
| Akira Ransomware | AnyDesk for hands-on-keyboard persistent access without deploying traditional malware |
| LockBit | AnyDesk and ScreenConnect for persistence and lateral movement in enterprise environments |
| MuddyWater / Static Kitten | ScreenConnect, Atera, and SimpleHelp targeting Middle East government agencies |
| DPRK Operatives | IP-KVM hardware (PiKVM) for BIOS-level control of laptop farms in IT worker fraud operations |
| Lazarus / DeceptiveDevelopment | BeaverTail and InvisibleFerret deployed alongside RMM tools in job interview social engineering |
| RagnarLocker | AnyDesk with preset unattended access passwords for persistent C2 |
| Storm-0501 | RMM tools combined with cloud service abuse for hybrid on-prem/cloud persistent access |
| Scattered Spider | ScreenConnect and remote support tools leveraged after social engineering help desk staff |
Defensive Recommendations
RMM tools are on your allowlist because your IT team uses them. This is precisely why attackers choose them. The solution is not to block all RMM tools (which would break IT operations) but to enforce strict policies on which tools are authorized, which endpoints should have them, and which users can install them — then alert on any deviation from that policy.
- Maintain an authorized RMM inventory: Define exactly which RMM tools are approved for use in your environment, which endpoints should have them installed, and which user accounts are authorized to create sessions. Any RMM installation or connection outside this inventory is a high-confidence indicator of compromise. Arctic Wolf observed 32 different RMM tools in malicious use — you only need to authorize one or two.
- Block unauthorized RMM tools at the application level: Use application control policies (WDAC, AppLocker, or EDR application blocking) to prevent installation and execution of RMM tools that are not on your authorized list. If your organization uses ScreenConnect, block AnyDesk, TeamViewer, Atera, and Splashtop at the application layer.
- Monitor for silent installation flags: Alert on RMM tools executed with silent-install, unattended-access, or service-installation parameters. Legitimate IT deployments typically use managed deployment tools (SCCM, Intune), not manual silent installations from suspicious parent processes.
- Restrict RMM network traffic by endpoint: Configure firewall rules or proxy policies to allow RMM vendor relay traffic only from authorized endpoints. DNS-layer filtering can block resolution of RMM relay domains from non-authorized systems.
- Patch RMM infrastructure immediately: Treat RMM server vulnerabilities as the highest priority for patching. CVE-2024-1709 (ScreenConnect) provided CVSS-10 authentication bypass, and Barracuda confirmed that unpatched instances remained exploitable well into 2025. A compromised RMM server gives attackers access to every managed endpoint simultaneously.
- Implement MFA on all RMM admin accounts: Enforce multi-factor authentication for all RMM administrative consoles. Credential stuffing attacks against RMM admin accounts are a primary vector for the hijack-existing attack model.
- Monitor for anomalous RMM session characteristics: Alert on RMM sessions originating from unusual geographic locations, sessions occurring outside business hours, sessions from new source IPs, or connections to ScreenConnect instances using suspicious TLDs (.ru, .icu, .xyz).
- Address the hardware access gap: For the T1219.003 IP-KVM threat, physical security controls become critical. Implement USB device inventory and monitoring, secure laptop shipping with tamper-evident packaging for remote workers, and consider hardware attestation solutions that can detect when a KVM device is interposed between the user and the system.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1219 |
| Technique Name | Remote Access Software |
| Tactics | Command and Control |
| Platforms | Windows, Linux, macOS |
| Sub-Techniques | T1219.001 Remote Access Software (CLI), T1219.002 Remote Desktop Software, T1219.003 Remote Access Hardware |
| Data Sources | Process (Creation), Network Traffic (Flow, Content), File (Creation) |
| MITRE Reference | attack.mitre.org/techniques/T1219 |
Sources and References
- MITRE ATT&CK — T1219 Remote Access Tools: attack.mitre.org
- Picus Security — Red Report 2026 and T1219 Technique Explained: picussecurity.com
- Arctic Wolf — 2025 Threat Report (59.4% ransomware via external remote access): arcticwolf.com
- NCC Group — The Dark Side: How Threat Actors Leverage AnyDesk: nccgroup.com
- DarkAtlas — ScreenConnect Abuse Analysis: darkatlas.io