Home Blog “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat Published: May 7, 2026 “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat By: Andrew Brandt Key Takeaways A lesser-known RMM called Tiflux is being used in a growing number of attacks against Huntress customers and others. Huntress has observed Tiflux being used in attacks that aim to establish persistence, transmit screenshots, and run commands to collect system profiling information. Threat actors behind the rogue Tiflux incidents also installed UltraVNC, an open-source remote access tool, sideloaded other commercial RMMs, including Splashtop and ScreenConnect, and installed an outdated driver that can permit the threat actor to elevate their own privileges on an infected system. Threat actors continue to test and weaponize the use of commercial remote access management tools. Acknowledgements: Huntress wishes to recognize the contributions of SOC analysts Tanner Filip, Jose Oregon, and Priscilla Ibarra, and Lindsey O’Donnell-Welch for help hunting telemetry for incidents and finding additional evidence. TL;DR: Since February 27, Huntress has observed an uptick in incidents using Tiflux, a lesser-known commercial RMM. Upon closer inspection of one such incident involving Tiflux, we found that threat actors sent a phishing campaign using fake document lures to establish initial access, before chaining that access into additional remote control tools including UltraVNC, Splashtop, and in some cases ScreenConnect. The campaign fits a broader pattern Huntress has seen repeatedly: threat actors abusing legitimate remote management software for stealthy access and persistence. What makes this activity especially concerning is that the Tiflux installer also includes outdated and suspicious components, including a vulnerable HwRwDrv.sys driver associated with privilege elevation and signed with long-expired certificates, increasing the risk beyond simple remote access alone. Threat actors and Tiflux This is the first time Huntress has written about a threat actor using Tiflux, a Brasil-originated RMM product, to gain remote access to a target’s machine. The SOC has seen an increase in the use of Tiflux across various incidents since February. We haven’t seen much else written about this particular RMM, but it seems to continue the pattern we’ve observed that threat actors continue to test and use new RMMs as a way to establish access to and persistence in victim environments. Several of the Tiflux-linked incidents seen by the SOC had similarities across their attack chain, such as the deployment of multiple RMMs and vulnerable kernel drivers. Some of these incidents led to unauthorized access and credential theft. We dug deeper into one incident involving Tiflux, which revealed capabilities that threat actors had set up for persistence, system information profiling, and screenshot transmission. Technical details The incident that caught our eye initially started with a malspam email sent on May 1 from businessservices@hg[.]lawdepotisland[.]com , as seen in Figure 1 below. Figure 1: One of the original email messages The link in the email message led to a page gated with a CloudFlare CAPTCHA, hosted on lenwillfilenetwork[.]com . Once completed, it took targets to the next page: Figure 2: The fake "service agreement document" download page We have seen several variations of this initial part of the attack. A newer attack, spotted the next day, used a CAPTCHA-like dialog box that, oddly, generated a small popup (within Edge on Windows) that looked like it was trying to mimic something from a Mac. Figure 3: The fake CAPTCHA running on Windows that pretends to be on a Mac computer After a few seconds, a new page appeared that prompts the viewer to download a “secured document.” Figure 4: One of the download pages that delivers the Tiflux installer The link in either page led to the installer for Tiflux, Network Solutions Agreement.msi , which is seen in Figure 5. Figure 5: The installer was renamed to reference the purported rationale for its delivery The installer The installer, an .msi executable, was cryptographically signed by Tiflux Sistema de Gestão LTDA, one day prior to when we analyzed it. As seen in Figure 6, the installer contains various components of Tiflux, including TiAgent, which acts as an orchestrator for the RMM, and TiPeerToPeer, which is a component that acts as a backchannel (in a legitimate installation) for the support team that ostensibly delivers the RMM to communicate with their customer. We will dig deeper into some of the other components, like si.exe , later. Figure 6: Extracted components of the Tiflux msi installer The installer also contains three “dependencies” – UltraVNC and Windows components of the compression utilities 7zip and tar . Figure 7: Dependencies included silent installers for three other components, one of which is a version of the remote access tool VNC Once the target installs the Tiflux agent, the threat actor behind the campaign uses a capability in Tiflux to push down ScreenConnect and/or Splashtop (sometimes just one, sometimes both) to the target’s computer. After digging into the Tiflux agent, we observed the test system install and then start services related to Splashtop – with no notification to the person operating the computer. When installing a different Tiflux distribution, we observed it install and use ScreenConnect. Figure 8: A Process Explorer view shows the Tiflux "TiService" executing commands that install Splashtop (in red) and then starting the Splashtop service (in green) With both Tiflux and Splashtop running, we observed the two RMMs connect to the servers used to manage them, transmit screenshots and screenshot thumbnails, and run commands to collect system profiling information and interrogate the operating system. Figure 9: The Splashtop service ran a tool called osqueryl.exe (in red) to retrieve data from the infected computer Suspicious installer contents In addition to installing these two commercially-available management tools, the installer file contained several other files that, taken together, raise suspicions. The UltraVNC components this installer contains are woefully out of date. How old, you ask? Several of the components identify themselves as version 1.2.0.1 of VNC, which dates back to (at least) 2014 (the current version, 1.6.4.0, was published last year). The installer also contains a software publishing certificate issued to uvnc bvba (the legitimate publisher of the UltraVNC tool), but that certificate expired in March 2014. The UltraVNC installation also leaves behind an entry in the Windows device manager for a display adapter named mv video hook driver2 – this driver, used to share video over VNC, was published on April 11, 2007. A human the same age might be finishing its first undergraduate year of college right about now. Figure 10: An installed video hook driver that is almost old enough to hit the bars In addition to the software dependencies, the .msi installer also contained five Windows Registry ( .reg ) files, which it could use to make modifications to the computer. While we did not observe the installer pushing any of these into the Registry, either Splashtop or Tiflux appeared to be capable of doing so at any time. One of the Registry changes added a Services entry for another VNC clone, named TightVNC, to the Windows Services, and set it to be enabled even if Windows was rebooted into Safe Mode. Oddly, the attack chain was not observed installing TightVNC, only UltraVNC. Figure 11: The registry file installs the driver for TightVNC so that it runs even in Windows Safe Mode Even more suspiciously, the key contained a nonstandard installation path for TightVNC: C:\PeopleOne\dependencies\tightvnc\tvnserver.exe -service Figure 12: Converting the hex registry value to text reveals the unusual path where TightVNC will install Another of the .reg files adds an SSH host key for the Windows SSH client, PuTTY, which is also strange because the Tiflux installer does not install the PuTTY application. The host key allows passwordless authentication from the machine on which the key is installed to a server (offline as of publication of this blog, on May 7, 2026) located at the address remote1a[.]peopleone[.]com[.]br . Figure 13: The .reg file that adds an SSH login key for PeopleOne's server Two of the Registry files make changes to Windows that could conceal the presence of a VNC service (or someone using it) on the device. Among other undesirable changes, the modified policies prevent “consent” prompts (and other types of notifications) from appearing either to the target or to whoever is controlling the target’s machine – a set of behaviors in Windows called the Secure Attention Sequence (SAS). At one point, the TiFlux tool drops a known vulnerable driver , named HwRwDrv.x64 , into the TEMP directory in the user’s profile, and registers it in Windows. Figure 14: The vulnerable driver installs itself in Windows While it isn’t clear what this driver is used for in this instance, background information about the driver flags it as having been previously abused for privilege escalation. The driver’s signing certificate was revoked years ago. Figure 15: Certificate revocation displayed on the file's properties sheet The initialization files bundled with the UltraVNC package contained two hardcoded passwords. While the passwords are encoded in the .ini as hexadecimal values, those are easily reversed. Figure 16: UltraVNC initialization files for the Tiflux installation with hardcoded credentials There were two of these .ini files present inside the installer – one for a 32-bit version, one for a 64-bit version of the program – but only the .ini file for the 32-bit version contained a string that seems to identify the person who built the installer in a build path. OSINT searches tie this person to both “PeopleOne” and to Tiflux.