Threat actors are abusing legitimate RMM tools as a means of creating persistence inside victims’ systems, using the Tiflux RMM tool.
Tiflux is a reputable Brazilian software platform used by IT departments and Managed Service Providers (MSPs) for managing IT assets, tickets, teams, and remote monitoring.
As reported by Huntress, the campaign is using Tiflux RMM as part of phishing attacks that deploy fake documents followed by remote access tools like Splashtop, UltraVNC, and ScreenConnect.
In essence, this attack campaign is among many others in which malefactors have turned to legitimate software to avoid detection.
Malspam and fake document lures
Huntress noted an increase in Tiflux incidents beginning at the end of February 2026, including one incident involving a phishing email that included a false service agreement document.
Victims who fell prey to the phishing campaign were redirected via CAPTCHA-like websites set up by the attacker before downloading any malware that appeared to be legitimate documents.
Tiflux malware was installed, allowing cybercriminals to create remote access to victims’ systems and perform commands on victims’ compromised systems to obtain information.
Multiple RMM tools used for persistence
Attackers were also seen using several RMM solutions during the same incidents. These tactics ensure access can be maintained even should one of the RMM tools used get flagged.
During the Tiflux campaign, the actors employed a series of remote administration tools like ScreenConnect and Splashtop after gaining a foothold into the system. Huntress noted that this “daisy-chaining technique” is becoming more common in today’s attacks.
This strategy makes it harder to detect malicious activity as businesses themselves are known to use legitimate remote access applications.
Concerns over vulnerable driver components
Questions were also raised regarding the actual Tiflux installer. Huntress said the bundle contained the driver HwRwDrv.sys, which was outdated and associated with privilege escalation actions and signed with expired certificates.
This implies that the threat goes past merely misusing remote access to perform malicious tasks and involves privilege escalation as well.
The findings reveal that attackers are increasingly adopting methods such as “living off the trusted software,” with reduced reliance on custom malware. Adversaries do not exploit sophisticated zero-days but rather exploit the inherent trust placed in approved administration and remote access software.
Defenders urged to baseline RMM activity
Huntress highlighted the importance of maintaining a comprehensive list of approved RMM tools and of monitoring for any odd behavior related to their use. The security firm suggested fingerprinting approved software based on executable hashes, approved domains, and connection behavior.
Additionally, Huntress stated that security professionals should audit remote access tools and monitor for any unusual deployments of unauthorized RMM software.
This alert was released at a time when there is increased industry-wide concern about legitimate IT tools being adopted by attackers in their operations, especially those involving ransomware and credential theft.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.