Threat Actors Weaponize Tiflux RMMs in Malspam Attacks
Essential information
- Published
- 08/05/2026 04:49
- Modified
- 08/05/2026 09:22
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- rmm abuse splashtop tiflux ultravnc
- Tags
- 2026-05-08 rmm abuse splashtop tiflux ultravnc
- Related entities
- 1 vulnerabilities (cve), 9 indicators, 9 observables, 18 techniques (mitre), 4 malware, 3 others
Description
Since late February, there has been an uptick in incidents involving Tiflux, a lesser-known Brazilian commercial remote management tool being weaponized by threat actors. The attack chain begins with phishing emails containing fake document lures that deliver a malicious MSI installer. Once executed, the installer deploys multiple remote access tools including UltraVNC, Splashtop, and ScreenConnect for persistent access. The Tiflux installer contains concerning components such as outdated VNC versions from 2014, expired certificates, hardcoded passwords, and a vulnerable HwRwDrv.sys driver known for privilege escalation abuse. The threat actors leverage these tools to establish persistence, capture screenshots, and collect system profiling information. This campaign exemplifies the continuing pattern of adversaries abusing legitimate remote management software for stealthy access to victim environments while chaining multiple tools together to maintain control.