How Threat Actors Abuse Remote Management Software for Initial Access

This report details widespread, active abuse of legitimate RMM and deployment tooling—particularly daisy-chaining RMMs like ScreenConnect via MSI installers and phishing lures—to establish persistent remote access, harvest credentials, and exfiltrate sensitive data; it includes observed operational workflows, hosted phishing infrastructure on GitHub, sample IOCs (hashes, filenames, IPs), and recommendations to treat RMM deployments as security-relevant events.