Remote monitoring and management tools are the software your IT provider uses to keep your systems running. They provide legitimate, necessary administrative access to your organization’s computers and servers, allowing IT teams to deploy patches, monitor performance, fix problems remotely, and respond to security incidents without physically being present at each device.
They are also, increasingly, a primary weapon in sophisticated cyberattacks.
The same capabilities that make RMM tools valuable for IT management make them attractive to attackers. Legitimate RMM software bypasses many security controls because those controls are configured to trust it. It operates with elevated privileges. It provides persistent, difficult-to-detect access to every device it manages. And because it looks exactly like legitimate IT activity, it often goes unnoticed for extended periods.
This article explains how rogue RMM attacks work, why they are increasing, what business leaders need to understand about their specific risk, and what protection looks like in an environment where attackers have learned to weaponize the tools that were built to protect you.
What Rogue RMM Attacks Actually Are
Rogue RMM attacks occur when an attacker installs unauthorized remote monitoring and management software on a victim’s systems. The software may be a legitimate RMM product installed without authorization, a modified version of a legitimate tool, or purpose-built attacker tools designed to mimic RMM functionality.
The attack works because RMM software is designed to be trusted. Security tools that would flag unknown malware often allow RMM software to run because the software is legitimately signed, recognizable, and categorized as an administrative tool rather than a threat. Firewalls that would block unknown outbound connections often allow RMM traffic because the traffic uses standard protocols and destinations associated with legitimate management platforms.
When an attacker successfully installs rogue RMM software on your systems, they have everything your IT provider has: visibility into every managed device, the ability to execute commands, the ability to install additional software, the ability to access files and data, and persistent access that survives reboots and basic remediation attempts.
The CISA and NSA joint advisory published in 2023, and subsequent threat intelligence reporting through 2025 and into 2026, consistently identifies rogue RMM as an active technique used by financially motivated cybercrime groups and nation-state actors. The technique has not peaked. It is in an expansion phase as more attacker groups adopt it and as the RMM software ecosystem grows to provide more tools for legitimate and illegitimate use.
How Attackers Install Rogue RMM Software
Understanding the installation pathway is essential for understanding where protection must exist.
Phishing and Social Engineering
The most common initial access vector for rogue RMM installation is a phishing email or phone call. Attackers impersonate IT support staff, software vendors, government agencies, or other trusted parties and convince the target to install software or click a link that installs the software automatically.
A common pattern in 2025 and continuing into 2026 involves attackers calling organizations claiming to be from Microsoft, an IT support company, or a cybersecurity firm. They tell the target that their computer has a problem that requires remote access to fix. They direct the target to install a specific tool. The tool is a legitimate RMM product that the attacker controls from their end. This works because legitimate IT support actually works this way. Real IT providers ask employees to install tools and grant remote access. The social engineering attack mimics a familiar, legitimate interaction closely enough that employees who are not specifically trained on this threat pattern do not recognize the difference. How social engineering attacks are constructed covers the psychological techniques attackers use to make these requests feel legitimate under pressure.
Compromised Managed IT Provider Infrastructure
The supply chain attack variant of rogue RMM installation begins not at the target organization but at the target’s managed IT provider. If an attacker compromises the provider’s RMM platform, they gain access to every organization the provider manages through the same management infrastructure the provider uses for legitimate operations.
The Kaseya VSA attack in 2021 demonstrated this pattern at scale: attackers compromised the RMM platform and used it to deploy ransomware to approximately 1,500 organizations through the provider’s legitimate management connections. The attack was effective precisely because the RMM infrastructure was trusted by all of those organizations. This pattern has continued and evolved. Attackers who compromise a managed IT provider’s credentials or infrastructure gain access to all managed clients simultaneously, making the provider’s RMM infrastructure a high-value target.
Exploitation of Existing RMM Software Vulnerabilities
Organizations that legitimately use RMM software may be vulnerable to attacks that exploit vulnerabilities in that software. Unpatched RMM platforms with known vulnerabilities have been exploited to escalate privileges, bypass authentication, and install attacker-controlled agents alongside or instead of legitimate management components. This pathway does not require the attacker to social engineer anyone inside the target organization. It requires only that the organization’s legitimate RMM software has a vulnerability the attacker can exploit and that the software has not been patched.
Dark Web Credential Markets and Initial Access Brokers
Attackers who do not have a social engineering pathway or a vulnerable software target can purchase access. Initial access brokers sell compromised credentials for organizational networks, VPN access, and in some cases direct RMM access to organizations whose management credentials have been compromised. When an attacker purchases RMM access through the initial access broker market, they begin their operation with the same access a legitimate IT administrator would have, obtained without any phishing or exploitation targeting the victim organization directly.
Why Rogue RMM Attacks Are Increasing in 2026
Several converging factors have made rogue RMM a preferred technique for a broad range of attacker groups.
RMM software proliferation has given attackers more tools to choose from. The market for remote management tools has grown significantly over the past five years. Legitimate RMM products including ConnectWise Control, AnyDesk, TeamViewer, Atera, NinjaRMM, and dozens of others are widely deployed and broadly trusted by security tools. Attackers have more organizations to target who have these tools installed and more legitimate cover for their activity.
Security control improvements against traditional techniques have driven this shift. Email security, endpoint detection, and behavioral analytics have improved against traditional malware delivery methods. Phishing emails with executable attachments are more likely to be caught. Known malware signatures are more likely to trigger alerts. Attackers have adapted by using legitimate tools that security controls are configured to trust rather than malware that triggers detection.
The normalization of remote work has expanded the social engineering attack surface. Employees who receive calls or emails requesting installation of remote access tools are less suspicious than they would have been when remote IT support was less common. The real interaction and the attacker’s impersonation of it have become harder to distinguish.
Financial returns at scale have attracted more sophisticated attacker groups to this technique. Attacker groups that compromise MSP infrastructure gain access to hundreds or thousands of organizations simultaneously. The return on investment for attacking well-positioned RMM infrastructure vastly exceeds the return on targeting individual organizations.
What Rogue RMM Access Enables
When an attacker has established rogue RMM access to your environment, the capabilities they have are the capabilities your IT provider has. This is what makes the technique so operationally significant.
Rogue RMM software that is running on your systems has the same operational persistence as legitimate management software. It survives reboots, often survives basic security scans that do not specifically detect unauthorized RMM tools, and operates through standard network pathways that firewalls and security tools are configured to permit. The attacker can execute any command on managed systems with the privileges of the RMM agent, which is typically elevated. They can install additional tools including ransomware payloads, access files, create new accounts, and modify security configurations.
Data exfiltration conducted through legitimate RMM channels is significantly harder to detect than exfiltration through obvious pathways because the traffic pattern matches legitimate management activity. From a single compromised system, an attacker can deploy additional rogue agents to other systems in the environment, expanding their foothold across the organization. Attackers who establish rogue RMM access often use it for extended reconnaissance before deploying their primary payload. They map the network, identify backup infrastructure, locate valuable data, and assess the organization’s security controls before choosing their moment and their method. How ransomware attacks unfold from initial access through encryption explains why this reconnaissance period is where the outcome of the incident is actually determined.
The Business Impact of Rogue RMM Compromise
The consequences of a rogue RMM compromise depend on what the attacker chooses to do with the access they have established.
The most common monetization of rogue RMM access in financially motivated attacks is ransomware deployment. The attacker uses the RMM infrastructure to deploy ransomware to all managed systems simultaneously, maximizing encryption scope before the victim has an opportunity to respond. Before or alongside ransomware deployment, attackers with rogue RMM access exfiltrate sensitive data for double extortion: pay for decryption and pay to prevent publication. Attackers with RMM access to financial systems can also access banking credentials, modify payment information, and directly facilitate financial fraud without deploying noisy ransomware that would immediately trigger response.
Nation-state actors and competitors who establish rogue RMM access may have objectives that do not involve ransomware at all. Silent, persistent access for intelligence collection and intellectual property exfiltration is a high-value outcome that requires rogue RMM access to produce but does not announce itself the way ransomware does. Attackers with RMM access can also disrupt operations without deploying ransomware by modifying configurations, deleting data, or disrupting critical processes.
What Business Leaders Specifically Need to Understand
Most cybersecurity discussions of rogue RMM focus on the technical details that IT and security teams need to understand. Business leaders need different information: what decisions they should be making, what they should be asking, and what the organizational risk picture looks like.
Your IT Provider’s Security Posture Is Your Risk
If you use a managed IT provider, your exposure to rogue RMM attacks is bounded not just by your own security controls but by your provider’s security controls. An attacker who compromises your provider’s platform gains access to your environment through trusted pathways that your security controls are configured to permit.
The questions business leaders should be asking their managed IT providers include: how is your RMM platform secured against unauthorized access, what multi-factor authentication protects your management credentials, how do you detect unauthorized access to your management infrastructure, and what happens to my organization if your platform is compromised? Providers who answer these questions specifically demonstrate that they have thought about this risk and have controls in place. Providers who answer vaguely or redirect to general security statements may not have adequate controls against the specific threat.
The Trust Your Employees Place in IT Is Being Exploited
Social engineering attacks that target employees with rogue RMM installation requests succeed because employees are trained to be helpful to IT and to trust requests that look like IT support. The attack exploits a legitimate organizational behavior. Business leaders should understand that employee security awareness training needs to specifically address this attack pattern. Employees who know that legitimate IT providers never cold-call asking to install remote access software, and who know that they should verify unexpected IT requests through a known phone number before complying, are significantly more resistant to the social engineering component of these attacks.
Insurance and Compliance Exposure Is Real
Rogue RMM compromise that leads to data exfiltration or system encryption creates the same regulatory and legal consequences as any other ransomware event. The fact that the attack used legitimate software tools does not affect HIPAA breach notification obligations, FFIEC reporting requirements, CMMC compliance implications, or SEC disclosure obligations. Business leaders in regulated industries should understand that rogue RMM is not a niche technical threat with limited business consequence. It is a primary ransomware delivery mechanism with the same downstream compliance, legal, and operational consequences as any other ransomware attack.
What Protection Looks Like
Protecting against rogue RMM attacks requires controls that specifically address this threat, not just general security hygiene.
Inventory and Authorize RMM Tools
Organizations should maintain an authoritative list of the remote access and management tools that are authorized for use in their environment. Any tool not on the authorized list that is detected on organizational systems should trigger immediate investigation. This requires active enforcement: security tools configured to alert on the execution of RMM software not on the authorized list, endpoint management policies that prevent installation of unauthorized applications, and regular audits of installed software across all organizational systems.
Monitor for RMM Traffic Patterns
Network monitoring that identifies RMM traffic to destinations not associated with your authorized provider’s infrastructure can detect rogue RMM communication even when the software itself is not immediately detected on endpoints. RMM software communicates with management servers operated by the RMM platform vendor or, in the case of self-hosted RMM, with the provider’s own infrastructure. Traffic to RMM-associated destinations that are not your provider’s platform is an anomaly that warrants investigation. Managed security services with continuous network monitoring provide the ongoing traffic analysis that identifies these anomalies before they become confirmed compromises.
Require Verification for Remote Access Requests
Employees should be trained and procedures should be established requiring verification of unexpected remote access requests through a known, trusted contact mechanism before complying. If someone calls claiming to be IT support and requests installation of remote access software, the employee should hang up and call the IT department at a known number before proceeding. This procedure should be documented, trained, and reinforced because it directly addresses the social engineering pathway for rogue RMM installation.
Assess Your Managed IT Provider’s Supply Chain Security
For organizations using managed IT providers, the provider’s security posture is a component of the organization’s security posture. Due diligence on your managed IT provider should include assessment of their RMM platform security: what multi-factor authentication protects their management credentials, how they detect unauthorized access to their platform, and what their incident response capability looks like if their platform is compromised. Providers who cannot answer these questions specifically or who resist the assessment question represent supply chain risk that organizational security controls cannot fully compensate for.
Deploy Endpoint Detection With RMM-Specific Detection Capability
Endpoint detection and response tools specifically configured to detect unauthorized RMM tool installation provide the endpoint-level detection component of rogue RMM defense. EDR tools from established vendors include detection rules for known RMM tools used in attacker operations. The limitation is that attackers adapt: they use new tools, modified tools, and tools not yet in detection databases. Defense in depth that combines endpoint detection with network monitoring and employee verification procedures provides more complete coverage than any single control. A structured IT risk assessment that includes an audit of authorized RMM tools and a review of endpoint detection coverage gives organizations the baseline they need to identify where rogue RMM defenses are strongest and where gaps remain.
Meet Our CEO, Matt Rosenthal
With more than 30 years of experience in business and technology leadership, Matt Rosenthal has guided organizations across healthcare, finance, legal, manufacturing, and defense through the evolving threat landscape including the increasing use of legitimate tools as attack vectors. As President and CEO of Mindcore Technologies, Matt leads a team that provides managed IT services and cybersecurity services designed around the actual threat environment that organizations face in 2026, including the specific risks that rogue RMM attacks create.
Matt’s approach to this threat is grounded in the recognition that attackers who use legitimate tools require defenses that go beyond signature-based detection. Behavioral monitoring, authorized tool inventories, and employee verification procedures address the threat where signature-based controls cannot.
Frequently Asked Questions
How do we know if rogue RMM software is already installed on our systems?
Detecting existing rogue RMM installations requires a combination of endpoint software inventory review, network traffic analysis, and in some cases forensic investigation. A software inventory audit comparing installed applications against an authorized list will identify most unauthorized RMM tools. Network traffic analysis looking for communications to known RMM platform domains or unexpected remote access destinations can identify rogue RMM communication even when the software evades endpoint detection. If your organization has reason to suspect a compromise, professional forensic investigation is the appropriate next step.
Are there specific RMM tools that attackers prefer?
Attackers use many different RMM tools in their operations. CISA and security researchers have specifically documented attacks using AnyDesk, TeamViewer, ScreenConnect, Atera, and others. The choice of tool often reflects what is easiest to deploy in a given scenario rather than specific capability preferences. Any legitimate RMM tool can potentially be used as a rogue tool by an attacker who has access to it.
Does having a managed IT provider increase or decrease rogue RMM risk?
A well-secured managed IT provider relationship with a provider who has strong RMM platform security decreases overall security risk because the provider’s monitoring and response capability provides protection beyond what most organizations can build internally. A managed IT provider with poor RMM platform security increases rogue RMM risk because the provider’s compromised infrastructure becomes an attack pathway to your environment. The answer depends entirely on the specific security posture of the provider.
How do we verify that remote access requests from our IT provider are legitimate?
Establish a verification procedure with your provider: define what information your provider will always provide when initiating a remote session, what they will never ask employees to do without prior coordination, and what channel employees should use to verify unexpected requests. Most legitimate providers are supportive of verification procedures because it protects both the client and the provider from social engineering attacks that impersonate the provider.
Is this threat relevant to small businesses or primarily to large enterprises?
Rogue RMM attacks target organizations across all sizes. Small businesses are targeted both directly through social engineering and indirectly through managed IT providers who serve small business clients. Some attacker campaigns specifically target small businesses through their managed IT providers because small business clients are often less security-aware and because MSPs serving small businesses may have less mature security programs than enterprise-focused providers. Small business exposure to this threat is real and should not be dismissed as an enterprise concern only.
Address the Threat That Uses Your IT Infrastructure Against You
Rogue RMM attacks are effective because they exploit the trust and access that legitimate IT infrastructure requires. Defending against them requires understanding where that trust is being exploited and implementing specific controls at each exploitation point: employee verification procedures for social engineering, authorized tool inventories and monitoring for unauthorized installation, supply chain security assessment for provider-side compromise, and behavioral monitoring for the traffic patterns rogue RMM produces.
The organizations that address this threat specifically are significantly more resilient than those that rely on general security hygiene that was not designed with legitimate-tool-as-attack-vector in mind.
Mindcore’s managed IT services and cybersecurity services help organizations across healthcare, finance, legal, manufacturing, and defense assess and address the specific risks that rogue RMM attacks create. Contact Mindcore to assess your current exposure and implement the specific protections this threat requires.
