Initial Access: What Threat Actors Are Prioritizing

As proven by real world cyber threats, attackers are moving faster than ever and their latest tactic shows just how stealthy initial access has become. A recent study revealed a growing number of targeted attacks using Remote Monitoring and Management (RMM) tools embedded within PDF files to gain entry into organizations.

Recent activity shows campaigns targeting France and Luxembourg, where attackers send convincing phishing emails linking to legitimate, signed RMM installers, easily bypassing traditional email and endpoint defenses. RMM software, typically used for IT maintenance, becomes a weapon in the wrong hands, allowing adversaries to control systems, disable defenses, and deploy further payloads. This mirrors tactics used by groups like Black Basta, which impersonate support staff to push remote access installations for ransomware delivery.

Unlike mass phishing, these attacks are highly targeted, focusing on sectors like finance, energy, and government. PDFs are customized with realistic visuals, namely invoices or contracts, to appear trustworthy. Some campaigns even leverage Zendesk to deliver malicious files through support tickets, sidestepping email security altogether.

To reduce risk, organizations should restrict RMM installations, enforce application allowlisting, and monitor for unusual download behaviors such as PDFs spawning installers. User awareness remains essential, especially regarding unsolicited IT requests. This campaign highlights a broader truth: attackers are turning trusted tools against defenders. As malicious innovation accelerates, security teams must adapt faster, prioritizing vigilance, layered defenses, and proactive threat hunting.

Mishra, Aman. 2025. “Threat Actors Use Malicious RMM Tools for Stealthy Initial Access to Organizations” GB Hackers. July 31.

READ: http://bit.ly/3KDsfEG

Initial Access: What Threat Actors Are Prioritizing

Popup Form

Categories

Initial Access: What Threat Actors Are Prioritizing