Introduction

Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging Remote Monitoring and Management (RMM) tools embedded within PDF documents. The activity primarily targets organizations in France and Luxembourg, using socially engineered emails to deliver a clean PDF containing an embedded link to an RMM installer, a simple but effective method of bypassing many email and malware defences. 

RMM tools, while legitimate in nature, have emerged as a popular initial access and persistence vector for threat actors. Their use enables attackers to gain access to the networks, disable security features, escalate privileges, and deploy subsequent malware using a “clean” and trusted tool. This tactic is neither new nor uncommon; notably, the Black Basta ransomware group has been observed impersonating IT support personnel to trick victims into installing RMM tools, which were then used to deliver ransomware.

The purpose of this blog is to highlight the risks posed by such tooling, and provide awareness and insights into the ongoing, trending activity with an emphasis of the evolution of the RMM tools used by threat actors.

Activity Overview

The activity observed and tracked by WithSecure since November 2024 represents a highly focused pattern, primarily targeting organizations in France and Luxembourg. The threat actors leverage carefully crafted PDFs tailored to the victim’s industry while also referencing the specific RMM tool being deployed. These PDFs are often disguised to look like invoices, contracts, or property listings to enhance credibility and lure victims into clicking the embedded link. For instance, one PDF used to target a real estate organization in the Netherlands was written in Dutch and included blurred images of properties. This design was intended to create the illusion of legitimate content that has been obscured, prompting the victim to install a program. In this case, the program was FleetDeck RMM. 

While the majority of observed activity has focused on France and Luxembourg, it has not been limited to these countries. Most cases have occurred within Europe, suggesting a regional targeting strategy. Moreover, the inclusion of Luxembourg as a primary target is particularly interesting. Despite its proportionately small population compared to other European countries, Luxembourg has one of the highest GDPs per capita globally, making it an appealing target for financially motivated threat actors. The activity appears to be prioritizing high-value sectors such as energy, government, banking, and construction industries, commonly targeted in cybercrime. This reinforces the idea that the threat actors are targeting organizations where a successful compromise could yield greater financial gain, rather than broad-scale distribution, which typically involves sending out high volumes of generic phishing emails in hope that a few recipients will take the bait. 

Although isolated activities have also been seen outside of Europe, the overall geographic pattern supports the likelihood of a Europe-based or Europe-focused threat actor, with a strong understanding of local language and business sectors.

Delivery Vector

The delivery mechanism used in these activities centers around PDF documents containing a single embedded direct download link to an RMM installer. These PDFs are typically distributed via social engineering emails, crafted to appear relevant to the victim’s industry or role. To enhance credibility, the threat actor either spoofs email addresses or registers lookalike domains. In many cases these emails impersonate real employees in significant roles from the spoofed organization, further increasing their authenticity. This combination of email spoofing and impersonation tactics significantly improves the success rate of the phishing email. 

The embedded links within the PDFs point directly to download URLs generated by the RMM vendors when the threat actor registers an account on the platform. These URLs are unique and may include information such as access key, which link the installer back to the attacker’s account. Since RMM tools are commonly used for legitimate IT support, this tactic allows the attackers to bypass email and antivirus scans, not only on the email attachment itself but also on the embedded URL and the downloaded executable. 

In more recent activities, a notable shift in delivery method has been the abuse of Zendesk as a distribution channel. Instead of relying solely on traditional phishing emails, the threat actor has submitted tickets or replies through Zendesk that include the malicious PDF. While the exact content of these tickets or replies remains unclear, analysis from VirusTotal indicates that the malicious PDFs were being downloaded from Zendesk hosted URLs. Although Zendesk scans attachments for malware, the embedded link within the PDF points to a clean, signed RMM installer hosted on a reputable domain, allowing them to evade detection. This shift likely reflects an effort to bypass email security controls by leveraging a trusted platform that is not typically associated with phishing delivery. 

RMM Tooling

WithSecure has observed the use of several different RMM tools across the tracked activity cluster. These include well-known solutions such as FleetDeck, Atera, and Bluetrait, among others. The selection of tools does not appear to be tailored to the victim’s industry or region. Instead, the common factor among these tools is their availability via direct download links and the fact that they do not require any further setup or configuration after installation. This enables threat actors to streamline the infection process. Once the victim clicks the embedded link and runs the installer, the RMM tool becomes immediately operational and often grants remote access without requiring further user interaction or authentication steps. A notable exception to this pattern is the use of ScreenConnect, which was delivered via a redirect URL embedded in the PDF rather than a direct download link. This may have been done to avoid exposing the RMM instance domain, which appears to be visible in direct download links based on VirusTotal searches. This approach could make it more difficult for defenders to attribute or track the activity.

While WithSecure began tracking this activity in November 2024, earlier instances of RMM usage have been observed in VirusTotal submissions dating back to July 2024.

File metadata

Metadata analysis of the PDFs used in this activity cluster reveals notable patterns that offer insight into the tooling used during PDF creation. WithSecure has identified seven distinct values in the author metadata field:

• Dennis Block
• Guillaume Vaugeois
• Alina Georgiana Mihalcea
• WorldStream Customer
• ALEXANDERS PARAIN
• DABA DABA
• COMPTA VDB

While these names do not appear to correspond to known threat actors, and no clear linkage has been established between them, their inconsistent and seemingly random nature suggests that they may be randomly assigned. This could reflect the use of varied tools to generate the phishing documents, or an intentional effort to diversify metadata in order to evade detections. 

Further metadata analysis, specifically the creator and producer fields, provides additional insight into the tools used to generate these PDFs. Several samples indicate the use of common document editing platforms, including:

• Microsoft Word
• Canva
• ILovePDF

These findings indicate the use of widely available tools in the document creation process, possibly to streamline production or obscure the origin of the files. 

Mitigation

To reduce exposure to this activity cluster, organizations should implement a combination of technical controls and user awareness measures. Blocking direct downloads of known RMM installers can prevent initial access, particularly when tools like FleetDeck, Atera, or ScreenConnect are not part of the approved IT stack. Furthermore, implementing application allowlisting can prevent unauthorized RMM tools from executing in the environment. Where possible, access to these installers and tools should be restricted unless explicitly required or approved by the IT or security team. 

In parallel, organizations should monitor for unauthorized RMM activity. Unusual process chains, such as a PDF opening a browser to download an RMM EXE or MSI file, should trigger alerts. Endpoint detection and response (EDR) solutions can help surface this behavior effectively. 

Finally, user training remains a critical defense. Employees should be made aware of phishing tactics involving fake invoices, contracts, or IT support requests that attempt to trick them into installing remote access software. 

Conclusion

The activity cluster observed by WithSecure highlights how legitimate tools, such as RMM software, continue to be repurposed for malicious use. By embedding direct download links within PDF documents and delivering them through social engineering techniques, threat actors can bypass traditional detection mechanisms and lower the barrier for initial compromise. 

Although no post-infection payloads have been observed, the use of RMM tools strongly suggests their role as an initial access vector, potentially enabling further malicious activity. Ransomware operators in particular have favoured this approach, with groups such as Black Basta, Conti, Royal, and BlackCat previously observed using RMM tools to establish initial access before deploying ransomware payloads.

This ongoing activity targeting France, Luxembourg, and surrounding regions underscores the importance of visibility into seemingly harmless tools, especially when delivered through unconventional vectors like embedded PDF links. Organizations should remain alert to the abuse of legitimate software and continue to harden their environments against socially engineered threats.

IOCS

Observed RMM Installer URLs

Observed PDF Delivery URLs via Zendesk

Observed Email and PDF Attachment Hashes

Observed PDF Hashes and Author Metadata