TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY CYBER RISK CYBERATTACKS & DATA BREACHES REMOTE WORKFORCE NEWS RMM Abuse Explodes as Hackers Ditch Malware It's the path of lesser resistance, as remote monitoring and management (RMM) software offers stealth, persistence, and operational efficiency. Rob Wright,Senior News Director, Dark Reading February 17, 2026 4 Min Read SOURCEL: TASHATUVANGO VIA ALAMY STOCK PHOTO Why use malware for intrusions when you can use enterprise software instead? That's essentially the attitude of threat actors, who last year shifted heavily toward abusing remote monitoring and management (RMM) tools and away from traditional malware. Huntress researchers observed a whopping 277% year-over-year increase in RMM abuse, according to the company's 2026 Cyber Threat Report. The massive surge in malicious deployments of RMM tools occurred across all industries, with healthcare and technology sectors seeing the largest increases in activity last year. Threat actors favor such tools because they are virtually ubiquitous in enterprise environments and the malicious activity blends in with legitimate RMM usage, making detection harder for security teams, in contrast to conventional malware. "RMM solutions have emerged as hackers' new favorite weapon, offering stealth, persistence, and operational efficiency," the report stated. "RMM abuse has evolved beyond opportunistic usage into a deliberate, standardized intrusion strategy." LOADING... Related:Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks RMM Tools Are Replacing Malware Commonly abused RMM products include ConnectWise's ScreenConnect, AnyDesk, Atera, NetSupport, PDQ's Connect, and SplashTop. Huntress noted that the sharp rise in abuse of these tools corresponded to a parallel drop in malware use. The shift shows that threat actors are ditching conventional hacking tools and increasingly embracing living-off-the-land (LotL) tactics, in which attackers leverage legitimate software and command-line tools to evade threat detection. LOADING... "As cybercriminals built entire playbooks around these tools to drop malware, steal credentials, and execute commands, the use of traditional hacking tools plummeted by 53%, while RATs and malicious scripts dropped by 20% and 11.7%, respectively," the report stated, adding that traditional malware was "notably rare" in cases where RMM agents were deployed. Researchers also observed a change in the way RMM tools were used by threat actors. Instead of leveraging them for initial access points to simply drop malware, attackers now use RMMs as "a unified control hub" for command-and-control (C2) purposes as well as attack path redundancy. Attackers are smart enough to try to use RMM tools that are already installed or at least are likely to exist inside a targeted network, says Greg Linares, principal threat intelligence analyst at Huntress. Threat actors of all stripes aim to exploit the inherent trust given to these products and blend in with legitimate usage. Related:Automaker Secures the Supply Chain With Developer-Friendly Platform "RMM is being abused massively at scale. They're ideal for attacking every level of enterprise, small business, medium-sized business, hospitals, everywhere," Linares says, adding that RMM abuse "dwarfed" traditional hacking tools last year. Huntress also analyzed post-compromise activity following RMM deployments and found that threat actors tend to favor certain products for specific tasks, based on their respective functionality. For example, researchers observed attackers using ScreenConnect predominantly for credential harvesting, while they favored Netsupport for fast staging and PDQ's Connect for initial malware delivery. "When correlated with 24-hour post-infection tradecraft, RMM telemetry shows a high-confidence signal of where an intrusion is headed in the attack path, not just the one in progress," the report said. Mitigating RMM Abuse Linares says RMM abuse poses challenges because it can be difficult to determine malicious activity from legitimate use. But the biggest issue is that organizations typically allow these binaries to run in their environments with little to no restrictions or limitations for what they can connect to or who's using them. "The problem is these tools are not getting locked down as much as they should be," he says. Related:Top Cyber Industry Defenses Spike CO2 Emissions Third-party security companies should also focus on RMMs and create approve lists and restrictions to prevent unauthorized tools from being deployed in customers' networks, Linares says. But detecting malicious use of approved RMM tools is trickier. Alerts for suspicious identity-related activity can provide early warnings, but Linares says such attacks tend to move very fast at that stage. Additional warning signs include threat actors attempting to log in from multiple different locations to see if there are any geofencing restrictions, as well as the use of residential proxies. But Linares says much of the abuse problem is on the RMM vendors and developers themselves. "I think they should be held accountable to identify the abuse of their own products," he says. "It's very frustrating to be a security company and see abuse occurring over and over again, even though we're trying to do everything we can." RMM vendors should review how their products are being abused and implement restrictions to prevent that activity. The least that these companies can do, he says, is to provide as much signal output as possible from the tool to give threat detection sensors and security teams more data on who is using the tools and how they're being deployed. "We're seeing companies taking that [recommendation] back and actually re-issuing some security measures on their tools, so that's a positive," Linares says. "But they still have a long way to go." About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models Healthcare Security: Protecting Patient Data and Clinical Operations Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk More Webinars You May Also Like APPLICATION SECURITY It Takes Only 250 Documents to Poison Any AI Model by Jai Vijayan, Contributing Writer OCT 22, 2025 APPLICATION SECURITY OWASP Highlights Supply Chain Risks in New Top 10 List by Jai Vijayan, Contributing Writer NOV 10, 2025 APPLICATION SECURITY Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool by Nate Nelson, Contributing Writer NOV 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson, Contributing Writer FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan, Contributing Writer FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson, Contributing Writer FEB 12, 2026 5 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST Healthcare Security: Protecting Patient Data and Clinical Operations THURS, APRIL 9,2026 AT 1PM EST Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST More Webinars White Papers The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More B