Security teams are observing a distinct evolution in intrusion tradecraft. Threat actors are moving away from custom malware in favor of legitimate enterprise software, specifically Remote Monitoring and Management (RMM) tools. According to the 2026 Cyber Threat Report by Huntress, incidents involving RMM abuse increased by 277% year-over-year.
This shift affects a wide range of industries, with the healthcare and technology sectors recording the most significant rise in activity. The preference for these tools stems from their ubiquity in enterprise environments. Because RMM software is trusted and widely used for legitimate administration, unauthorized activity often blends in with standard operations, complicating detection efforts for defenders.
Legitimate Software Replacing Traditional Malware
The data suggests that the rise in RMM abuse correlates directly with a decline in the use of traditional malicious binaries. As unauthorized parties adopt "Living-off-the-Land" (LotL) tactics, leveraging pre-existing software and command-line tools—they reduce their reliance on custom executables that endpoint protection systems might flag.
Huntress researchers noted that as reliance on RMM tools increased, the detection of traditional intrusion tools fell by 53%. similarly, the use of Remote Access Trojans (RATs) and malicious scripts declined by 20% and 11.7%, respectively. In scenarios where RMM agents were deployed for unauthorized access, the presence of conventional malware was notably rare.
Commonly implicated platforms include ScreenConnect, AnyDesk, Atera, NetSupport, PDQ Connect, and SplashTop. These tools are often used not merely for initial access but as unified control hubs. This allows threat actors to maintain command-and-control (C2) capabilities and establish redundancy within a target network without deploying suspicious files.
Operational Patterns and Signals
Analysis of post-compromise activity reveals that specific RMM tools are often selected for distinct operational goals. By correlating telemetry with tradecraft observed in the 24 hours following infection, researchers identified consistent patterns:
ScreenConnect is frequently utilized for credential harvesting.
NetSupport is often favored for rapid staging of the environment.
PDQ Connect is commonly associated with the initial delivery of test data or subsequent payloads.
Greg Linares, principal threat intelligence analyst at Huntress, notes that threat actors aim to exploit the inherent trust granted to these applications. The scale of this activity is significant, affecting organizations of all sizes, from small businesses to large enterprises and hospitals.
Strengthening Defenses Against RMM Abuse
The primary challenge for security teams is distinguishing between authorized administration and unauthorized access. In many environments, RMM binaries run with minimal restrictions, allowing them to connect to external infrastructure without distinct oversight.
To mitigate these risks, organizations can implement several defensive measures:
Application Control and Allowlisting: Establish strict policies regarding which RMM tools are authorized for use. Block the execution of unapproved RMM binaries to prevent unauthorized tools from being deployed.
Identity and Access Monitoring: Alerts related to suspicious identity activity can serve as early warning signs. Rapid movement between accounts or login attempts from unusual geographic locations, often help by residential proxies—warrant immediate investigation.
Vendor Collaboration: Security providers and RMM vendors must work together to improve visibility. Increased signal output including these tools can provide detection sensors with the data needed to verify who is using the tool and how it is being deployed.
While RMM vendors act and implement new security measures and restrictions, the responsibility also lies with defenders to monitor the "known good" in their environments. By restricting the scope of allowed tools and monitoring for anomalous usage patterns, organizations can significantly reduce the risk posed by this shift in tradecraft.