A Series of Unfortunate (RMM) Events

Dec. 21, 2025, 11:06 p.m.

Description

Series of Unfortunate Events Summary: This analysis examines the increasing trend of threat actors abusing Remote Monitoring and Management (RMM) tools in their attacks. The report highlights a specific pattern where attackers use PDQ or GoTo Resolve to deploy secondary RMM tools like ScreenConnect or SimpleHelp. Multiple examples are provided, including a real estate company compromised through a phishing email, an investment firm attacked via a malicious download, and a car dealer targeted through multiple RMM installations. The report also discusses various social engineering lures used by attackers, such as holiday-themed messages and fake bid transcripts. It emphasizes the importance of a managed Security Operations Center (SOC) in detecting and mitigating these threats, and provides recommendations for businesses to prevent RMM abuse.

External References

https://www.huntress.com/blog/series-of-unfortunate-rmm-events
https://otx.alienvault.com/pulse/694599aaebd14cabed495145
Tags
screenconnect
phishing
social engineering
persistence
simplehelp
2025-12-19
goto resolve
multiple rmm tools
pdq
rmm abuse

Date

  • Created: Dec. 19, 2025, 6:30 p.m.
  • Published: Dec. 19, 2025, 6:30 p.m.
  • Modified: Dec. 21, 2025, 11:06 p.m.

Attack Patterns

Additional Informations

  • stsmithchurchitems.shop
  • support.innerschapel.com
  • abre.ai
  • con.wepivifllc.de
  • xtroloozyanimailfeeddeals.shop
  • ssaaccount-helper.icu
  • elegantparty.de
  • deuwre.com
  • wilkensealsivc.shop