RMM
-
Phishing campaign used RMM software to hit more than 80 organizations
A phishing campaign has targeted more than 80 organizations since at least April 2025, using legitimate remote monitoring tools to maintain access after victims opened fake Social Security Administration emails.
-
Phishing campaign leverages stolen credentials to deploy legitimate RMM for persistent access
Researchers reported a dual-wave phishing campaign that harvests Outlook, Yahoo and AOL credentials to register with LogMeIn and deploy LogMeIn Resolve via a signed executable named GreenVelopeCard.exe to maintain persistent remote access.
-
Proofpoint links new UNK_SmudgedSerpent cluster to targeted phishing of Iran experts
Proofpoint has identified a new threat cluster, UNK_SmudgedSerpent, that used political lures, impersonation and malicious installers to target academics and Iran policy experts between June and August 2025, deploying RMM tools including PDQ Connect and possibly ISL Online.
-
Cybercriminals use RMM tools to target trucking firms, steal freight: Proofpoint
Proofpoint researchers say cybercriminals are compromising trucking and logistics firms with legitimate remote monitoring and management tools to harvest credentials, gain persistent access and fraudulently bid on or divert real shipments, with food and beverage cargo a frequent target.
-
Qilin ransomware deployed Linux payload on Windows using BYOVD and legitimate IT tools, researchers say
Researchers report that the Qilin ransomware group has been highly active through 2025, using leaked credentials, credential-harvesting tools and legitimate remote-management software to deploy a Linux ransomware binary on Windows systems while employing BYOVD and targeting backup infrastructure.
-
Iran-linked MuddyWater used compromised email to deliver Phoenix backdoor to 100+ MENA government targets, Group-IB says
Group-IB says Iran-linked MuddyWater used a compromised mailbox accessed via NordVPN to phish MENA organisations, deploying weaponised Word documents that installed the Phoenix v4 backdoor across more than 100 government targets and hosting RMM tools and a browser credential stealer on its C2 infrastructure.
-
Phishing campaign lures LastPass and Bitwarden users to install remote-access tools
A phishing campaign impersonating LastPass and Bitwarden is distributing a binary that installs the Syncro RMM agent and deploys ScreenConnect for remote access, researchers reported; LastPass says it was not breached and users are advised to ignore unsolicited alerts and verify notices on official channels.
-
CISA Adds Two N-able N-central Vulnerabilities to KEV; MSP Patch Push Underway
U.S. authorities added two vulnerabilities in N-able N-central to the Known Exploited Vulnerabilities catalog, while noting no public exploitation has been reported. The flaws—CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (command injection)—require authentication and have been patched in N-central versions 2025.3.1 and 2024.6 HF2, with upgrades urged for on-premises deployments.
