Ddos 
Screen of the Google Drive phishing page | Image: ASEC
In a new report, the AhnLab Security Intelligence Center (ASEC) warns of a rising trend where threat actors are hijacking powerful Remote Monitoring and Management (RMM) software to infiltrate victim networks. By abusing trusted tools like Syncro, SuperOps, NinjaOne, and ScreenConnect, attackers are bypassing security radars and establishing persistent remote control over infected systems.
The campaign, which has been active since at least October 2025, relies on a deceptive infection chain starting with a harmless-looking PDF.
The attack begins with a classic phishing lure. Victims receive emails containing PDF attachments with urgent-sounding names like Defective_Product_Oder.pdf, Invoice_Details.PDF, or video_payment_error.pdf.
However, the file itself is a decoy. “When the PDF document is executed… users are prompted to click on the Google Drive link,” the report explains. The document claims it “Failed to load” and directs the user to an external site—often masquerading as Adobe—to view the content.
“This indicates that the threat actor is impersonating Adobe to make users believe they are downloading a legitimate PDF file,” ASEC analysts noted.
Once the user clicks the link, they aren’t downloading a standard virus, but a legitimate—or slightly modified—installer for enterprise-grade RMM software. These tools are designed for IT administrators to manage computers remotely, making them the perfect “Living-off-the-Land” weapon. They are digitally signed, often trusted by antivirus software, and provide robust remote access capabilities out of the box.
The report highlights that “threat actors distributed a PDF file that prompted users to download and run the RMM tool from a disguised distribution page”.
Specific tools weaponized in this campaign include:
- Syncro
- SuperOps
- NinjaOne
- ScreenConnect
The sophistication of the attack is evident in the downloader analysis. One observed sample, a downloader for NinjaOne, was built using NSIS (Nullsoft Scriptable Install System).
“The downloader is developed with NSIS, and the internal NSI script contains a command to download additional payloads,” the report states. It silently fetches the RMM agent from a malicious domain (anhemvn124.com) and installs it without the user’s consent.
The malware authors even left a digital trail. The certificate used to sign the malicious files links this campaign to activities dating back to late 2025. “The certificate used to sign the malware shows that the threat actor has been performing similar attacks since at least October 2025”.
Detecting these attacks is challenging because the final payload is often a valid, signed application used by thousands of legitimate businesses. ASEC advises users to be skeptical of any “failed to load” messages in PDFs and to verify the sender of any unexpected invoices.
“When opening emails from unknown sources, users must be extra cautious. It is important to verify if the sender is trustworthy and to not open suspicious links or attachments”.
Organizations are urged to monitor for unauthorized RMM software installations and block known malicious domains associated with these distribution campaigns.
Related Posts:
- RMM Tools: The New Weapon of Choice for Cybercriminals
- Malicious PDFs Used in Large-Scale Phishing Operation
- Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
- Threat Actors Continue to Exploit Legitimate RMM Tool ScreenConnect
- RMM Tools Weaponized: Stealthy Campaign Embeds Legitimate Remote Monitoring Software in PDFs to Target European Orgs
Donate