RMM Tools Exploited to Deploy Payloads Using Weaponized PDF Attachments

AhnLab Security Intelligence Center (ASEC) has identified a sophisticated attack campaign leveraging Remote Monitoring and Management (RMM) tools to distribute malicious payloads.

Threat actors have weaponized PDF attachments to deceive users into downloading and executing RMM installers from disguised distribution pages. The malware signing certificate indicates the campaign has been active since at least October 2025.

PDF-Based Attack Vector

The malicious PDF files employ deceptive naming conventions referencing invoices, product orders, and payment issues, a classic phishing tactic designed for email distribution.

When executed, these PDFs display either a high-quality image prompting users to click a Google Drive link or show a “Failed to load PDF document” error directing them to “adobe-download-pdf[.]com,” impersonating legitimate Adobe services.

The subsequent phishing pages masquerade as Google Drive interfaces, presenting files with misleading names such as “Video_recorded_on_iPhone17.mp4” to enhance credibility.

Downloaded files are further obfuscated with naming patterns like “Video_recorded_on_iPhone17.mp4 Drive.google.com” to appear as legitimate media files.

The campaign targets multiple RMM platforms, including Syncro, ScreenConnect, NinjaOne, and SuperOps, all legitimate tools designed for MSPs and IT teams.

While RMM solutions provide legitimate remote management capabilities, threat actors exploit them because security products typically whitelist these applications, allowing them to bypass traditional detection mechanisms.

Syncro installers distributed during the campaign were signed with valid certificates and contained configuration parameters including specific key and customer ID values, suggesting coordinated operations by the same threat actor group throughout the second half of 2025.

Historical precedent demonstrates widespread RMM abuse. Syncro has been leveraged by ransomware operators, including Chaos and Royal, while ScreenConnect has been exploited by ALPHV/BlackCat and Hive ransomware groups.

Organizations should exercise heightened caution when handling email attachments from unknown sources, particularly those referencing financial transactions or document errors.

Email authentication protocols must be verified before opening suspicious links. Maintaining updated operating systems and security solutions remains critical for defending against known threats.

AhnLab Security Intelligence Center (ASEC) notes that implementing application allowlisting and monitoring RMM tool execution patterns can help identify unauthorized installations.

The campaign underscores the dual-edged nature of legitimate enterprise tools when adversaries weaponize them.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post RMM Tools Exploited to Deploy Payloads Using Weaponized PDF Attachments appeared first on Cyber Security News.