CyberWire Daily – Research Saturday: "Two RMMs Walk Into a Phish…"

Air Date: November 22, 2025
Host: Dave Bittner (N2K Networks)
Guests: Alex Berninger (Red Canary), Mike Wiley (Zscaler)

Episode Overview

This episode explores the increasing abuse of legitimate Remote Monitoring and Management (RMM) tools in phishing campaigns. Dave Bittner leads a discussion with Alex Berninger, Senior Manager of Intelligence at Red Canary, and Mike Wiley, Director of Threat Hunting at Zscaler, who share findings from their research tracking four phishing lures and multiple campaigns where attackers are dropping RMM tools to gain persistent, stealthy access to enterprise environments.

Key Discussion Points & Insights

1. What Are RMM Tools and Why Are They a Target?

[01:40] Alex Berninger:

RMM tools are core to IT ops, used for legitimate tasks like updates, asset management, and software deployment.
Their power and integration grant adversaries stealth and persistence, often letting them blend in as IT staff or vendors.

"...because they have all of these features, they're also leveraged by adversaries. And it really allows adversaries to blend in or even impersonate an organization's IT or a vendor."
— Alex Berninger [01:40]

2. Detection Methodology: "Hawkeye Hunting"

[02:54] Mike Wiley:

Zscaler and Red Canary use broad telemetry (e.g., NetFlow, DNS, firewall logs) to see external threats missed at the organizational level—like "looking over multiple battleships."
They observed about 100 RMM tool campaigns per week at the peak, with adversaries packaging legitimate, signed RMM tools (e.g., AnyDesk, PDQ) as misnamed MSIs (such as "W9.2025.msi") hosted on trusted sites (e.g., GitHub, Cloudflare R2).

"...at the peak of the campaign, we were seeing about 100 instances of this per week where these legitimate remote desktop tools were being packaged up in an MSI and they were then being hosted at these trusted resources."
— Mike Wiley [04:43]

3. Phishing Lures Used to Drop RMM Tools

[05:46] Alex Berninger:

Four main phishing tactics identified:
1. Fake Browser Updates: (mainly Chrome) prompting users to “update,” which downloads an RMM tool.
2. Fake Meeting Invitations: Seemingly work-related to trick users.
3. Fake Party E-invites: Social lures, growing in usage.
4. Fake Government Forms: (e.g., IRS, Social Security)—users are encouraged to download forms containing RMM tools.
User education is important but not sufficient—strong technical controls remain necessary.

"...relying on all users to not ever click a phishing link or navigate to a phishing site is unrealistic. And so making sure that you have controls beyond that..."
— Alex Berninger [07:27]

4. Why Are These Attacks Hard to Detect?

[08:00] Alex Berninger:

RMM tools are legitimate; detecting malicious use is challenging.
Key indicators:
- Tools operating from non-standard directories.
- Suspicious file renaming.
- Unusual network connections.
Keep a strict allow-list (whitelist) of RMM tools to reduce risk.

"...these RMM tools are used legitimately. That can make it really hard to detect when they're not being used in a legitimate way..."
— Alex Berninger [08:00]

5. Adversary Techniques: Deploying Multiple RMMs for Redundancy

[09:07] Mike Wiley:

Attackers often deploy two (or more) RMM tools—if one is removed, persistence remains.
Some organizations unknowingly harbor 7-20 unique RMMs; over 160 are tracked by Zscaler.
RMM tool misuse is often a precursor to deeper attacks, including info stealing or ransomware.

"...having just one tool, there's risk that it will be removed or blocked at some point in time. And so by having redundancy built in, they can ensure that they have access..."
— Mike Wiley [09:09]

"...it's not just a unwanted program, it is a gateway for all kinds of malicious and risky activity on the endpoints."
— Mike Wiley [10:55]

6. Key Warning Signs for Defenders

[14:19] Alex Berninger & Mike Wiley:

Endpoint Visibility: Monitor all systems with EDR sensors.
Behavioral Indicators: Look for altered file names, non-standard directories, and unexpected network activity.
Preventive Controls:
- Block downloads/installation of unauthorized RMM tools.
- Ban these processes organization-wide, if possible.
- Reduce the set of allowed RMMs as tightly as possible.
"It's a lot easier to keep people out of your house who you may or may not want coming into your house, rather than letting anyone in ... and then trying to figure out what their intentions are."
— Mike Wiley [15:19]

7. The Future of RMM Abuse

[16:22] Mike Wiley:

Threat actors realize the power and stealth of this technique, which can support objectives like espionage or ransomware.
Blocking by domain or IP is infeasible due to the use of major cloud and file hosting (e.g., AWS, GCP) — these are business-essential.

"...when they see that these tools are generally allowed to run in most environments, these websites are difficult to block... you'd be blocking a majority of the Internet, which is not reasonable for most businesses."
— Mike Wiley [16:40]
Alex and Mike agree: Attacks are rising and unlikely to stop, as RMM misuse provides a "veneer of legitimacy" and complicates attribution.

"...what these RMM tools give adversaries is essentially that back door with that veneer of legitimacy."
— Alex Berninger [17:58]

8. Adversary Sophistication: Not Complex, But Effective

[19:14] Alex Berninger & Mike Wiley:

While the malware/code isn't "sophisticated," the impact and stealth are high.
Many attacks likely originate from "ransomware as a service" or threat actors selling attack chains.
It's not about complexity—it’s about how difficult detection is.

"Nowadays sophistication is less important for organizations and really the success of attack, and it's more about how hard is it to detect or block."
— Mike Wiley [20:45]
Even organizations with legitimate RMM use have been caught off guard when attackers mimic their tool sets but with subtle clues (file names, download sources).

Notable Quotes & Memorable Moments

On the challenge for defenders:

"It's a lot easier to keep people out of your house ... rather than letting anyone in the front door and then trying to figure out what their intentions are..."
— Mike Wiley [15:19]
On user education and detection controls:

"Relying on all users to not ever click a phishing link ... is unrealistic. And so making sure that you have controls beyond that..."
— Alex Berninger [07:27]
On the prevalence of RMM abuse:

"...over 160 different RMM tools ... even Chrome has an extension that you can use for remote desktop. It's just very prevalent and it's difficult to keep track of..."
— Mike Wiley [10:07]
On adversary sophistication:

"...if you think of sophistication as this really complicated malware ... then maybe these threat actors aren't sophisticated in that way ... but they are sophisticated in the way that they're able to achieve those actions..."
— Alex Berninger [19:14]

Timestamps for Important Segments

RMM Tools in the Wild: [01:40]
"Hawkeye Hunting" Methodology: [02:54]
Phishing Lures Explored: [05:46]
Detection Difficulties & Whitelisting: [08:00]
Attackers Using Multiple RMMs: [09:07]
Indicators of Compromise for Defenders: [14:19]
Future Trends & Defensibility: [16:22]
Attack Sophistication & Ransomware Link: [19:14]

Tone and Takeaways

Direct and grounded, this episode blends practical detection tips with sobering analysis: The abuse of RMM tools in social engineering and phishing campaigns is growing fast, is stealthy, and presents immense detection and remediation challenges. The experts stress the importance of rigorous whitelisting, preventive controls, and broad endpoint visibility for organizations—but advise that as long as "what works, works," attackers will keep innovating.

Summary in One Sentence

Legitimate RMM tools are being actively weaponized through sophisticated phishing lures and delivery mechanisms, and their very legitimacy makes them one of the trickiest threats for organizations to spot and contain.

CyberWire Daily – Research Saturday: "Two RMMs Walk Into a Phish…"

Air Date: November 22, 2025
Host: Dave Bittner (N2K Networks)
Guests: Alex Berninger (Red Canary), Mike Wiley (Zscaler)

Episode Overview

Key Discussion Points & Insights

1. What Are RMM Tools and Why Are They a Target?

[01:40] Alex Berninger:

RMM tools are core to IT ops, used for legitimate tasks like updates, asset management, and software deployment.
Their power and integration grant adversaries stealth and persistence, often letting them blend in as IT staff or vendors.

"...because they have all of these features, they're also leveraged by adversaries. And it really allows adversaries to blend in or even impersonate an organization's IT or a vendor."
— Alex Berninger [01:40]

2. Detection Methodology: "Hawkeye Hunting"

[02:54] Mike Wiley:

Zscaler and Red Canary use broad telemetry (e.g., NetFlow, DNS, firewall logs) to see external threats missed at the organizational level—like "looking over multiple battleships."
They observed about 100 RMM tool campaigns per week at the peak, with adversaries packaging legitimate, signed RMM tools (e.g., AnyDesk, PDQ) as misnamed MSIs (such as "W9.2025.msi") hosted on trusted sites (e.g., GitHub, Cloudflare R2).

"...at the peak of the campaign, we were seeing about 100 instances of this per week where these legitimate remote desktop tools were being packaged up in an MSI and they were then being hosted at these trusted resources."
— Mike Wiley [04:43]

3. Phishing Lures Used to Drop RMM Tools

[05:46] Alex Berninger:

Four main phishing tactics identified:
1. Fake Browser Updates: (mainly Chrome) prompting users to “update,” which downloads an RMM tool.
2. Fake Meeting Invitations: Seemingly work-related to trick users.
3. Fake Party E-invites: Social lures, growing in usage.
4. Fake Government Forms: (e.g., IRS, Social Security)—users are encouraged to download forms containing RMM tools.
User education is important but not sufficient—strong technical controls remain necessary.

"...relying on all users to not ever click a phishing link or navigate to a phishing site is unrealistic. And so making sure that you have controls beyond that..."
— Alex Berninger [07:27]

4. Why Are These Attacks Hard to Detect?

[08:00] Alex Berninger:

RMM tools are legitimate; detecting malicious use is challenging.
Key indicators:
- Tools operating from non-standard directories.
- Suspicious file renaming.
- Unusual network connections.
Keep a strict allow-list (whitelist) of RMM tools to reduce risk.

"...these RMM tools are used legitimately. That can make it really hard to detect when they're not being used in a legitimate way..."
— Alex Berninger [08:00]

5. Adversary Techniques: Deploying Multiple RMMs for Redundancy

[09:07] Mike Wiley:

Attackers often deploy two (or more) RMM tools—if one is removed, persistence remains.
Some organizations unknowingly harbor 7-20 unique RMMs; over 160 are tracked by Zscaler.
RMM tool misuse is often a precursor to deeper attacks, including info stealing or ransomware.

"...having just one tool, there's risk that it will be removed or blocked at some point in time. And so by having redundancy built in, they can ensure that they have access..."
— Mike Wiley [09:09]

"...it's not just a unwanted program, it is a gateway for all kinds of malicious and risky activity on the endpoints."
— Mike Wiley [10:55]

6. Key Warning Signs for Defenders

[14:19] Alex Berninger & Mike Wiley:

Endpoint Visibility: Monitor all systems with EDR sensors.
Behavioral Indicators: Look for altered file names, non-standard directories, and unexpected network activity.
Preventive Controls:
- Block downloads/installation of unauthorized RMM tools.
- Ban these processes organization-wide, if possible.
- Reduce the set of allowed RMMs as tightly as possible.
"It's a lot easier to keep people out of your house who you may or may not want coming into your house, rather than letting anyone in ... and then trying to figure out what their intentions are."
— Mike Wiley [15:19]

7. The Future of RMM Abuse

[16:22] Mike Wiley:

Threat actors realize the power and stealth of this technique, which can support objectives like espionage or ransomware.
Blocking by domain or IP is infeasible due to the use of major cloud and file hosting (e.g., AWS, GCP) — these are business-essential.

"...when they see that these tools are generally allowed to run in most environments, these websites are difficult to block... you'd be blocking a majority of the Internet, which is not reasonable for most businesses."
— Mike Wiley [16:40]
Alex and Mike agree: Attacks are rising and unlikely to stop, as RMM misuse provides a "veneer of legitimacy" and complicates attribution.

"...what these RMM tools give adversaries is essentially that back door with that veneer of legitimacy."
— Alex Berninger [17:58]

8. Adversary Sophistication: Not Complex, But Effective

[19:14] Alex Berninger & Mike Wiley:

While the malware/code isn't "sophisticated," the impact and stealth are high.
Many attacks likely originate from "ransomware as a service" or threat actors selling attack chains.
It's not about complexity—it’s about how difficult detection is.

"Nowadays sophistication is less important for organizations and really the success of attack, and it's more about how hard is it to detect or block."
— Mike Wiley [20:45]
Even organizations with legitimate RMM use have been caught off guard when attackers mimic their tool sets but with subtle clues (file names, download sources).

Notable Quotes & Memorable Moments

On the challenge for defenders:

"It's a lot easier to keep people out of your house ... rather than letting anyone in the front door and then trying to figure out what their intentions are..."
— Mike Wiley [15:19]
On user education and detection controls:

"Relying on all users to not ever click a phishing link ... is unrealistic. And so making sure that you have controls beyond that..."
— Alex Berninger [07:27]
On the prevalence of RMM abuse:

"...over 160 different RMM tools ... even Chrome has an extension that you can use for remote desktop. It's just very prevalent and it's difficult to keep track of..."
— Mike Wiley [10:07]
On adversary sophistication:

"...if you think of sophistication as this really complicated malware ... then maybe these threat actors aren't sophisticated in that way ... but they are sophisticated in the way that they're able to achieve those actions..."
— Alex Berninger [19:14]

Timestamps for Important Segments

RMM Tools in the Wild: [01:40]
"Hawkeye Hunting" Methodology: [02:54]
Phishing Lures Explored: [05:46]
Detection Difficulties & Whitelisting: [08:00]
Attackers Using Multiple RMMs: [09:07]
Indicators of Compromise for Defenders: [14:19]
Future Trends & Defensibility: [16:22]
Attack Sophistication & Ransomware Link: [19:14]

wavePod

Two RMMs walk into a phish… [Research Saturday]

Powered by Wave AI

Summary

CyberWire Daily – Research Saturday: "Two RMMs Walk Into a Phish…"

Episode Overview

Key Discussion Points & Insights

1. What Are RMM Tools and Why Are They a Target?

2. Detection Methodology: "Hawkeye Hunting"

3. Phishing Lures Used to Drop RMM Tools

4. Why Are These Attacks Hard to Detect?

5. Adversary Techniques: Deploying Multiple RMMs for Redundancy

6. Key Warning Signs for Defenders

7. The Future of RMM Abuse

8. Adversary Sophistication: Not Complex, But Effective

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone and Takeaways

Summary in One Sentence

Summary

CyberWire Daily – Research Saturday: "Two RMMs Walk Into a Phish…"

Episode Overview

Key Discussion Points & Insights

1. What Are RMM Tools and Why Are They a Target?

2. Detection Methodology: "Hawkeye Hunting"

3. Phishing Lures Used to Drop RMM Tools

4. Why Are These Attacks Hard to Detect?

5. Adversary Techniques: Deploying Multiple RMMs for Redundancy

6. Key Warning Signs for Defenders

7. The Future of RMM Abuse

8. Adversary Sophistication: Not Complex, But Effective

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone and Takeaways

Summary in One Sentence