RMM Tools Weaponized: Stealthy Campaign Embeds Legitimate Remote Monitoring Software in PDFs to Target European Orgs
Ddos 
Social engineering email used to distribute malicious PDF | Image: WithSecure
WithSecure has uncovered a stealthy campaign using legitimate Remote Monitoring and Management (RMM) tools embedded in PDF documents to target organizations in France, Luxembourg, and other parts of Europe. The technique, while not new, is seeing a resurgence—this time with tailored lures, trusted platforms, and zero malware payloads at the point of entry.
“Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging RMM tools embedded within PDF documents,” the report reveals.
The attack chain begins with socially engineered emails that deliver harmless-looking PDFs. These documents often masquerade as invoices, contracts, or property listings customized to the victim’s industry. A single embedded link initiates the silent download of an RMM installer.
“The activity primarily targets organizations in France and Luxembourg… using socially engineered emails to deliver a clean PDF containing an embedded link to an RMM installer,” WithSecure notes.
The PDFs are convincing. One sample targeting a Dutch real estate firm included blurred property images and Dutch-language text to prompt victims into clicking the embedded link.
While RMM tools such as FleetDeck, Atera, Bluetrait, and ScreenConnect are typically used for legitimate IT support, attackers are now repurposing them to establish unauthenticated, persistent remote access.
“RMM tools, while legitimate in nature, have emerged as a popular initial access and persistence vector for threat actors,” the report explains.
Once installed, these tools allow adversaries to:
- Bypass security controls
- Move laterally through networks
- Drop follow-on payloads like ransomware
Although WithSecure hasn’t observed secondary malware deployment yet, they warn that groups like Black Basta, Conti, Royal, and BlackCat have used similar tactics in the past.
The campaign is regionally focused—especially on France and Luxembourg. The attackers are zeroing in on financially lucrative sectors like energy, banking, government, and construction.
“Despite its proportionately small population… Luxembourg has one of the highest GDPs per capita globally, making it an appealing target for financially motivated threat actors,” the researchers observed.
Interestingly, many emails spoof employees from trusted organizations and even use Zendesk—a legitimate support platform—as a delivery channel.
“In more recent activities… the threat actor has submitted tickets or replies through Zendesk that include the malicious PDF,” bypassing traditional email filters.
WithSecure’s metadata analysis of the PDF lures revealed author names like “Dennis Block” and “Guillaume Vaugeois,” along with popular creation tools such as Microsoft Word, Canva, and ILovePDF.
“The inconsistent and seemingly random nature suggests that they may be randomly assigned… or an intentional effort to diversify metadata in order to evade detections,” the report states.
“Although no post-infection payloads have been observed… the use of RMM tools strongly suggests their role as an initial access vector,” WithSecure concludes.
Related Posts:
- Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
- RMM Tools: The New Weapon of Choice for Cybercriminals
- MuddyWater’s Sneaky New Tactic: Hijacking RMM Software for Espionage
- Malicious PDFs Used in Large-Scale Phishing Operation
- Ransomware Attack: MSP’s RMM Tool Abused to Spread DragonForce
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
