Dive Brief:
- Abuse of remote monitoring and management platforms increased 277% year over year in 2025 to become the most prevalent category of cyber threats, a February Huntress study found.
- According to the cybersecurity firm’s ’ 2026 Cyber Threat Report, RMM exploitation accounted for one-quarter of observed cyber incidents last year, up from 7% in 2024, with healthcare and technology sectors seeing a surge. The study was based on telemetry data across more than 230,000 Huntress customers.
- Huntress expects RMM abuse to outpace attacks using remote access trojans. “This is especially true where distributed or outsourced IT operations are part of the security stack,” Huntress wrote in the 96-page report. “Attackers have caught on that exploiting these trusted relationships gives them access to multiple victims simultaneously.”
Dive Insight:
Rather than using traditional hacking tools, threat actors have decided to leverage industry-standard tools as a unified control hub — to “live off the land,” in Huntress parlance.
Cybercriminals exploited specific RMM tools for specific purposes, the report found.
Huntress pointed to ConnectWise’s ScreenConnect as the most common campaign orchestration and personal data harvesting vector. Threat actors favored NetSupport and PDQ Connect for delivery and staging, and Atera and AnyDesk for executing ransomware operations. More than half of suspicious Atera instances involved ransomware.
When threat actors targeted RMMs it was often to transfer payloads onto endpoints, run remote PowerShell sessions and move laterally through internal consoles.
MSP professionals have pointed to a key weakness in Atera: it only requires an email to verify a free trial.
“The frictionless trial approach is great for their sales metrics, but it essentially hands a weaponized, EDR-evading backdoor to every script kiddie and ransomware gang on the planet,” a member of the r/msp subreddit wrote.
RMM abuse muddies the waters for IT teams and service providers, who aren’t expecting hackers to use legitimate tools. The Huntress data suggests that cyberdefense teams should look beyond malware signatures and look for unusual patterns in RMM usage.
“Organizations must treat RMM telemetry as a high-confidence signal of potential compromise, especially when correlated with adjacent suspicious activity,” Huntress wrote.
