RMM

Remote Monitoring and Management (RMM) platforms are software tools used primarily by Managed Service Providers (MSPs) and enterprise IT teams to remotely access, monitor, patch, and administer endpoints across a client base. Core capabilities include remote desktop access, scripted task execution, patch management, antivirus deployment, and alerting on system health metrics. Because RMM agents run with high-privilege persistent access on every enrolled device, they are an attractive target for threat actors seeking to move laterally or deploy payloads at scale without writing custom malware. Leading RMM platforms include ConnectWise ScreenConnect, Kaseya VSA, Atera, N-able N-sight, NinjaRMM, and SimpleHelp.

RMM abuse has been a recurring theme in ransomware and nation-state intrusions since at least 2021. CISA and NSA issued a joint advisory in 2023 warning that malicious actors were exploiting RMM software to bypass traditional security controls, noting that attackers could use legitimate RMM functionality to persist on systems, execute commands, and exfiltrate data without triggering alerts tuned for malware binaries.

In U#3, the DragonForce ransomware group was confirmed to have used SimpleHelp RMM as the initial access vector for its attacks, likely exploiting CVE-2025-25629 / CVE-2025-25628 vulnerabilities patched in January 2025 . The NHS Digital alert CC-4623 specifically flagged SimpleHelp-related activity. This follows the pattern of RMM platforms being used as living-off-the-land infrastructure: once inside via a vulnerable or credential-stolen RMM agent, the attacker has legitimate tooling that enterprise defences are configured to trust.