{
	"id": "410a2ed4-9a26-45e1-9504-62a85c0600cf",
	"created_at": "2026-04-06T02:12:02.128026Z",
	"updated_at": "2026-04-10T03:23:51.532945Z",
	"deleted_at": null,
	"sha1_hash": "0b1bae0c8738bf3e2d00c82978dc763b895a79a8",
	"title": "Protecting Against Malicious Use of Remote Monitoring and Management Software | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256557,
	"plain_text": "Protecting Against Malicious Use of Remote Monitoring and\r\nManagement Software | CISA\r\nPublished: 2023-01-26 · Archived: 2026-04-06 02:04:15 UTC\r\nSummary\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State\r\nInformation Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are\r\nreleasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate\r\nremote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber\r\ncampaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent\r\nphishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise\r\nControl) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.\r\nAlthough this campaign appears financially motivated, the authoring organizations assess it could lead to\r\nadditional types of malicious activity. For example, the actors could sell victim account access to other cyber\r\ncriminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber\r\nactivity associated with legitimate RMM software: after gaining access to the target network via phishing or other\r\ntechniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use\r\nlegitimate RMM software as a backdoor for persistence and/or command and control (C2).\r\nUsing portable executables of RMM software provides a way for actors to establish local user access without the\r\nneed for administrative privilege and full software installation—effectively bypassing common software controls\r\nand risk management assumptions.\r\nThe authoring organizations strongly encourage network defenders to review the Indicators of Compromise\r\n(IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of\r\nlegitimate RMM software.\r\nDownload the PDF version of this report: pdf, 608 kb.\r\nFor a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).\r\nTechnical Details\r\nOverview\r\nIn October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of EINSTEIN—a\r\nfederal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA\r\n—and identified suspected malicious activity on two FCEB networks:\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nPage 1 of 7\n\nIn mid-June 2022, malicious actors sent a phishing email containing a phone number to an FCEB\r\nemployee’s government email address. The employee called the number, which led them to visit the\r\nmalicious domain, myhelpcare[.]online.\r\nIn mid-September 2022, there was bi-directional traffic between an FCEB network and myhelpcare[.]cc.\r\nBased on further EINSTEIN analysis and incident response support, CISA identified related activity on many\r\nother FCEB networks. The authoring organizations assess this activity is part of a widespread, financially\r\nmotivated phishing campaign and is related to malicious typosquatting activity reported by Silent Push in the blog\r\npost Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton,\r\nand Paypal domains .\r\nMalicious Cyber Activity\r\nThe authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed\r\nphishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a\r\nlink to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to\r\nconvince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email\r\nobtained from an FCEB network.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nPage 2 of 7\n\nFigure 1: Help desk-themed phishing email example\r\nThe recipient visiting the first-stage malicious domain triggers the download of an executable. The executable\r\nthen connects to a “second-stage” malicious domain, from which it downloads additional RMM software.\r\nCISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors\r\ndownloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the\r\nactor’s RMM server.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nPage 3 of 7\n\nNote: Portable executables launch within the user’s context without installation. Because portable executables do\r\nnot require administrator privileges, they can allow execution of unapproved software even if a risk management\r\ncontrol may be in place to audit or block the same software’s installation on the network. Threat actors can\r\nleverage a portable executable with local user rights to attack other vulnerable machines within the local intranet\r\nor establish long term persistent access as a local user service.\r\nCISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support\r\nthemed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc).\r\nAccording to Silent Push, some of these malicious domains impersonate known brands such as, Norton,\r\nGeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[1 ] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional\r\nredirects and downloads of RMM software.\r\nUse of Remote Monitoring and Management Tools\r\nIn this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam.\r\nThey first connected to the recipient’s system and enticed the recipient to log into their bank account while\r\nremaining connected to the system. The actors then used their access through the RMM software to modify the\r\nrecipient’s bank account summary. The falsely modified bank account summary showed the recipient was\r\nmistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess\r\namount to the scam operator.\r\nAlthough this specific activity appears to be financially motivated and targets individuals, the access could lead to\r\nadditional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors.\r\nNetwork defenders should be aware that:\r\nAlthough the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can\r\nmaliciously leverage any legitimate RMM software.\r\nBecause threat actors can download legitimate RMM software as self-contained, portable executables, they\r\ncan bypass both administrative privilege requirements and software management control policies.\r\nThe use of RMM software generally does not trigger antivirus or antimalware defenses.\r\nMalicious cyber actors are known to leverage legitimate RMM and remote desktop software as backdoors\r\nfor persistence and for C2.[2],[3],[4],[5],[6],[7],[8]\r\nRMM software allows cyber threat actors to avoid using custom malware.\r\nThreat actors often target legitimate users of RMM software. Targets can include managed service providers\r\n(MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user\r\nsupport, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions.\r\nThese threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim\r\nMSP's customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—\r\nto the MSP’s customers.\r\nThe authoring organizations strongly encourage network defenders to apply the recommendations in the\r\nMitigations section of this CSA to protect against malicious use of legitimate RMM software.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nPage 4 of 7\n\nINDICATORS OF COMPROMISE\r\nSee table 1 for IOCs associated with the campaign detailed in this CSA.\r\nTable 1: Malicious Domains and IP addresses observed by CISA\r\nDomain Description Date(s) Observed\r\nwin03[.]xyz Suspected first-stage malware domain\r\nJune 1, 2022\r\nJuly 19, 2022\r\nmyhelpcare[.]online Suspected first-stage malware domain June 14, 2022\r\nwin01[.]xyz Suspected first-stage malware domain\r\nAugust 3, 2022\r\nAugust 18, 2022\r\nmyhelpcare[.]cc Suspected first-stage malware domain September 14, 2022\r\n247secure[.]us Second-stage malicious domain\r\nOctober 19, 2022\r\nNovember 10, 2022\r\nAdditional resources to detect possible exploitation or compromise:\r\nSilent Push: Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad,\r\nMcAfee, Norton, and Paypal domains .\r\nMitigations\r\nThe authoring organizations encourage network defenders to:\r\nImplement best practices to block phishing emails. See CISA’s Phishing Infographic for more information.\r\nAudit remote access tools on your network to identify currently used and/or authorized RMM software.\r\nReview logs for execution of RMM software to detect abnormal use of programs running as a portable\r\nexecutable.\r\nUse security software to detect instances of RMM software only being loaded in memory.\r\nImplement application controls to manage and control execution of software, including allowlisting RMM\r\nprograms.\r\nSee NSA Cybersecurity Information sheet Enforce Signed Software Execution Policies.\r\nApplication controls should prevent both installation and execution of portable versions of\r\nunauthorized RMM software.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nPage 5 of 7\n\nRequire authorized RMM solutions only be used from within your network over approved remote access\r\nsolutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).\r\nBlock both inbound and outbound connections on common RMM ports and protocols at the network\r\nperimeter. \r\nImplement a user training program and phishing exercises to raise awareness among users about the risks\r\nof visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.\r\nReinforce the appropriate user response to phishing and spearphishing emails.\r\nRESOURCES\r\nSee CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses\r\nfor guidance on hardening MSP and customer infrastructure.\r\nU.S. Defense Industrial Base (DIB) Sector organizations may consider signing up for the NSA\r\nCybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain\r\nName System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible\r\norganizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov\r\n.\r\nCISA offers several Vulnerability Scanning to help organizations reduce their exposure to threats by taking\r\na proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.\r\nConsider participating in CISA’s Automated Indicator Sharing (AIS) to receive real-time exchange of\r\nmachine-readable cyber threat indicators and defensive measures. AIS is offered at no cost to participants\r\nas part of CISA’s mission to work with our public and private sector partners to identify and help mitigate\r\ncyber threats through information sharing and provide technical assistance, upon request, that helps\r\nprevent, detect, and respond to incidents.\r\nPURPOSE\r\nThis advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity\r\nmissions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to\r\nspecific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does\r\nnot constitute or imply endorsement, recommendation, or favoring.\r\nReferences\r\n[1] Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and\r\nPaypal domains. — Silent Push Threat Intelligence\r\nRevisions\r\nJanuary 25, 2023: Initial Version\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nPage 6 of 7\n\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa23-025a\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisa.gov/uscert/ncas/alerts/aa23-025a"
	],
	"report_names": [
		"aa23-025a"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441522,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b1bae0c8738bf3e2d00c82978dc763b895a79a8.pdf",
		"text": "https://archive.orkl.eu/0b1bae0c8738bf3e2d00c82978dc763b895a79a8.txt",
		"img": "https://archive.orkl.eu/0b1bae0c8738bf3e2d00c82978dc763b895a79a8.jpg"
	}
}