Recent industry reports have revealed a phishing campaign that abuses legitimate RMM and remote access tools to gain unauthorized access to victims’ systems. Splashtop was one of the tools installed by attackers in this campaign, but it is important to clarify that this was a case of misuse through social engineering, not a breach or vulnerability in Splashtop.
In this attack, cybercriminals trick recipients into downloading RMM and remote access software. Once installed, the software provides the hackers with persistent remote access to the system, allowing them to operate as if they were authorized IT administrators. This tactic enables attackers to bypass traditional malware detection and blend in with legitimate network activity.
This blog will explain how the attack works, why legitimate remote access tools are being targeted, and what you can do to prevent misuse in your environment.
How the Attack Works
This phishing campaign follows a clear sequence designed to trick recipients into installing legitimate remote access tools under attacker control.
1. Phishing Email Delivery
Attackers send emails that appear to come from trusted sources, such as Microsoft OneDrive file-sharing notifications. These messages are sent from compromised Microsoft 365 accounts, increasing their credibility.
2. Malicious File Hosting
The email link directs the target to a malicious MSI installer hosted on Discord’s content delivery network (CDN). Hosting the file on a well-known service helps it evade some security filters.
3. Installation of Legitimate RMM and Remote Access Tools
When executed, the installer silently deploys:
Splashtop Streamer
Atera Agent
Supporting components like .NET Runtime 8
Installing more than one tool ensures persistence. If one application is detected and removed, the other can still provide access.
4. Remote Access and Control
With the tools in place, attackers can:
Access the system remotely
Move files or data
Execute commands as if they were authorized IT staff
Why Attackers Use Legitimate Remote Access Tools
Remote access and RMM software are designed to help IT teams securely manage devices, remotely troubleshoot issues, and perform updates from anywhere. These same capabilities make them attractive to attackers when misused:
Blends into normal activity – The software is trusted and often already present in many environments, so its installation may not trigger immediate suspicion.
Bypasses traditional malware detection – Security tools may not flag legitimate, digitally signed applications the same way they would unknown executables.
Grants full system control – Once installed, these tools give the same level of access as an authorized IT administrator.
Ensures persistence – Deploying more than one tool (as seen in this campaign) allows access to remain even if one is removed.
Not Caused By a Software Flaw
This type of misuse is not caused by a vulnerability in the software. Instead, it stems from successful social engineering. The attacker’s biggest weapon is convincing someone to install the tool for them, bypassing normal IT controls.
For the attack to work, several steps had to align:
A phishing email persuaded the target to click a malicious link.
The victim downloaded and ran a disguised installer.
The software was installed without IT approval.
The attacker connected to the newly installed software.
If any of these steps is blocked, the attack fails. That is why strong phishing defenses, installation controls, and account security measures are essential.
Preventing Abuse of Splashtop in Your Environment
While the software itself was not exploited in this campaign, organizations can take proactive steps to make it much harder for attackers to misuse legitimate software:
Restrict software installation to approved administrators through endpoint management policies.
Educate employees on how to spot phishing attempts, including suspicious file-sharing links.
Remind staff never to download or run installers from unexpected emails, even if they appear to come from internal sources.
Encourage quick reporting of any suspicious messages or unexpected remote access prompts.
Combining these measures ensures that even if a phishing email slips through, multiple safeguards stand in the way of an attacker gaining access.
How Splashtop Helps Safeguard Access
Splashtop includes built-in security features designed to give organizations control over who can connect, from where, and under what conditions. When properly configured, these capabilities make it far more difficult for attackers to misuse the platform.
Key security features include:
Multifactor authentication (MFA) to verify user identity before granting access.
Single sign-on (SSO) integration for centralized access control and enforcement of corporate authentication policies.
Role-based access controls that allow administrators to limit permissions based on job function.
Device authentication to ensure only approved machines can connect.
Session logging and recording for visibility into who accessed what and when.
Granular deployment controls to restrict installation of Splashtop Streamer to approved systems.
Our Commitment to Security
Splashtop takes security seriously and closely monitors reports of cyber threats that involve our products, even when the activity is the result of misuse rather than a vulnerability. We believe transparency is essential to maintaining trust with our customers and partners.
Our security and engineering teams continuously evaluate potential abuse scenarios, enhance detection capabilities, and provide guidance to help customers configure Splashtop securely. When new threat intelligence emerges, we assess whether changes to product features, default settings, or customer education materials are needed.
When Splashtop is deployed and managed by authorized administrators, it remains a secure and reliable platform for remote access. By combining our built-in security features with endpoint protections and user awareness training, organizations can significantly reduce the risk of misuse.
Explore our Splashtop products and get in touch to learn more about our solutions and security.
