Wednesday 24 September 15:00 - 15:30, Red room
Selena Larson & Ole Villadsen (Proofpoint)
Cybercriminals are increasingly using legitimate remote access software as an initial access method to deliver malware. Historically, threat actors delivering malware, including ransomware, used remote access software and remote monitoring and management (RMM) tools as part of an overall attack chain, typically once a host was already compromised. Now, tools like ScreenConnect, Atera and Bluetrait are often observed as the first step in an attack chain, delivered directly via phishing emails.
In this presentation we will discuss:
Overall, this behaviour shift is notable. Proofpoint has observed multiple ecrime threat actors adopting RMMs in addition to, or instead of, their typical remote access trojans (RATs). Since mid-2024 threat actors have been using RMMs exponentially more than previously. And they're using a much wider variety of legitimate software and services, with our researchers now regularly observing at least 10 different RMM tools in email campaigns, up from just two to three from 2022 through mid-2024.
The increased use of RMM tooling also aligns with a decrease in prominent loader and botnet malware most often used by initial access brokers facilitating ransomware attacks. This is in part due to global law enforcement actions like Operation Endgame, which disrupted major malware infrastructure and imposed cost on multiple cybercriminal operations. While the IAB actors tracked by our researchers have not necessarily pivoted to RMM delivery via email, it is interesting to note the drastic shift in the landscape throughout 2024, and the increase in new and different tooling following the disruption of major botnets and loaders.
This has provided some benefits. Using RMMs often allows adversaries to bypass security protections that block known malware. It also may reduce user suspicion when they are directed to install something they know is "real". While this poses some challenges for defenders and enterprises, there are multiple best practices when it comes to hunting, detecting, and blocking execution of RMMs.
We will cover the dynamic shifts in the cybercrime threat landscape, how attack delivery has changed, the new risks posed to enterprises, and what we can do to combat these new techniques.
![]() |
Selena Larson Selena Larson is a staff threat researcher at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced threats and develop actionable threat intelligence. Selena is also the co-host of two podcasts, 'Only Malware in the Building' and 'DISCARDED', featuring unique research and insights from individuals in the infosec industry. Previously, she was a cyber threat analyst for the industrial cybersecurity firm Dragos, and a cybersecurity and privacy journalist.
|
![]() |
Ole Villadsen Ole Villadsen is a staff threat researcher at Proofpoint, where he is a member of the Threat Research Team specializing in the investigation and analysis of cybercrime threats. Prior to joining Proofpoint, Ole spent over six years as a senior analyst at IBM X-Force Threat Intelligence. His career started as an intelligence officer in the U.S. Navy, and he later held roles within the U.S. government and academia before transitioning to IBM. Ole also holds advanced degrees in national security studies and information science. |
Back to VB2025 conference page