Threat actors continue to abuse ScreenConnect and other popular remote monitoring and management (RMM) tools that are widely used by security teams as well as MSSPs and MSPs, targeting organizations running outdated or unpatched versions of the software.
Threat researchers with
Barracuda Networks wrote in their
December SOC Threat Radar that they’ve detected a jump in bad actors targeting of deployments of ScreenConnect, remote access software that allows IT professionals, MSSPs, MSPs, and others to remotely control systems and devices for troubleshooting, support, management, and other tasks.
It also lets users view screens, runs scripts, transfer files, and resolve issues remotely while also delivering security features like encryption and audit trails. It’s a sneaky way to get into users’ systems, the researchers wrote this month.
“ScreenConnect is a trusted and popular remote device management tool used by many organizations and their managed service providers,” wrote
Laila Mubashar, cybersecurity analyst with Barracuda. “As a result, the detection of ScreenConnect does not immediately arouse suspicion.”
The “rise in the suspicious use of ScreenConnect ... includes attackers attempting to connect endpoints to targets’ ScreenConnect deployments, and attackers deploying ScreenConnect themselves to control hosts remotely,” Mubashar wrote.
Exploiting Vulnerabilities
ScreenConnect became a big story last year when security flaws – including vulnerabilities that let bad actors bypass authentication measures and directly access systems or confidential information or execute remote code – were detected in the software and were being exploited by attackers. More recently,
ConnectWise in April disclosed another vulnerability – tracked as
CVE-2025-3935 – that could allow an attack to execute arbitrary code on a server.
The company, which provides an IT management platform to MSPs, MSSPs, and others, released a fix for the vulnerability the same month. However, not all vulnerable systems were patched, which isn’t an unusual occurrence for users of ScreenConnect or most other software, according to
Eric Russo, director of SOC (security operations center) defensive security at Barracuda.
“We are still seeing many organizations running outdated [and] affected versions of these tools,” Russo told MSSP Alert. “Unfortunately, this is becoming more common as IT teams sometimes can struggle to keep up with ‘tool sprawl.’ IT teams do their best to manage the hundreds of different software and hardware components being used across their organization, but with the frequency at which CVEs are published lately, it can be difficult if you don't have a proper solution in place.”
Common Tactics
In the case of ScreenConnect, hackers are using common tactics as a core component in their attacks, Russo said. Those include using compromised accounts with admin privileges or supplying their own licenses deployments of RMM tools.
Researchers with other defenders have been monitoring the rise of threat actors abusing RMM tools. Earlier this year, analysts with
Proofpoint wrote that they saw a
significant jump in the use of RMM tools in campaigns, particularly those delivered through emails as the first step in attacks.
“The use of RMMs as a first-stage payload delivered directly via email was not as common as other malware delivery in Proofpoint campaign data prior to 2024, with most of such campaigns since 2022 delivering NetSupport,” the Proofpoint analysts wrote in their
report at the time. “However, the presence of RMMs in campaign data began increasing in mid-2024, with ScreenConnect in particular appearing much more frequently.”
That’s continuing as 2025 comes to a close, Barracuda’s Russo said, noting “threat intelligence reports confirming multiple threat groups have opted to exploit vulnerabilities in RMM tools including CVE-2025-3935. This can likely be attributed to the fact that organizations are aware that their RMM tools are major targets in the eyes of threat actors, so they are taking steps to secure them, such as strengthening access management.”
Exploitation Over Hijacking
Given that, bad actors could be more successful compromising an RMM instance by exploiting a known flaw rather than attempting to hijack an account, he added.
Organizations have a number of steps they can take to protect RMM instances, including enabling multifunction authentication enforcing the principle of least-privilege, and having a vulnerability management process.
“For defenders and security providers, focus needs to be put into detection methodologies specific to RMM abuse,” Russo said. “For instance, our SOC team at Barracuda XDR has developed a detection rule that leverages telemetry from endpoints to identify DNS requests from ScreenConnect to suspicious top-level domains (TLDs).”
Common TLDs that can be strong indicators of a compromise include .ru, .icu, and .xyz. If the SOC team detects ScreenConnect beaconing out to such domains, this may mean a threat actor has compromised the RMM instance, he said, adding that all of these steps are important. “RMM-based campaigns are very relevant, and from our experience, we observed an uptick of them throughout 2025,” Russo said. “Personally, I don't anticipate these types of campaigns will slow down anytime soon. Successfully compromising RMM gives threat actors a tremendous amount of power, while having the added benefit of reducing the risk of being detected compared to the usage of hacking tools.”
