RMM Tools Exploited in Stealthy Phishing Campaign Targeting 80+ Orgs

Security researchers at Volexity have uncovered a sophisticated phishing campaign leveraging legitimate remote monitoring and management (RMM) tools to maintain persistent access while evading traditional security controls. The operation, dubbed 'SilentCloud' by investigators, has successfully breached more than 80 organizations across healthcare, finance, and critical infrastructure sectors. The threat actors utilize commercial RMM platforms including ConnectWise Control and ScreenConnect to establish covert command-and-control channels that blend with legitimate administrative traffic.

The attack chain begins with highly targeted spear-phishing emails containing malicious links that redirect victims to compromised SharePoint sites. Once a user clicks the link, the attackers deploy the RMM agents under the guise of required software updates or security patches. According to Volexity's technical analysis published in Dark Reading, the malware operators use PowerShell scripts to execute memory-resident payloads that avoid writing suspicious files to disk, making detection significantly more challenging for endpoint protection solutions.

The campaign demonstrates advanced operational security tradecraft, as the threat actors rotate command-and-control infrastructure weekly and utilize residential proxy networks to mask their true geographic location. Affected organizations have reported unauthorized access to email accounts, customer databases, and financial systems. Security teams are advised to monitor for unusual RMM software installations, implement application whitelisting, and audit legitimate remote access tools deployed across their environments. Indicators of compromise including specific PowerShell obfuscation patterns and anomalous outbound connections to port 8043 have been shared through ISACs for community defense.