Threat Actors Weaponize Tiflux RMMs in Malspam Attacks

Huntress observed an uptick in incidents where threat actors distributed a Tiflux RMM installer via malspam and fake document lures; the installer deploys or stages additional remote-access tools (UltraVNC, Splashtop, ScreenConnect), contains outdated/suspicious components (including a vulnerable HwRwDrv.sys driver and hardcoded credentials), modifies registry settings to evade notifications and persistence, and transmits screenshots and system profiling data — the report includes hashes, domains, and IPs for detection.