RMM abuse is described as the path of lesser resistance, with threat actors increasingly shifting from traditional malware to remote monitoring and management tools. Huntress researchers report a 277% year-over-year rise in RMM abuse, according to the company’s 2026 Cyber Threat Report. The surge occurred across all industries, with healthcare and technology seeing the largest activity, driven by the ubiquity of RMM in enterprises and the ability to blend in with legitimate usage.
RMM tools are now used as a unified control hub for command-and-control and attack path redundancy, with attackers favouring living-off-the-land tactics to drop malware less often. Common tools such as ConnectWise’s ScreenConnect, AnyDesk, Atera, NetSupport, PDQ’s Connect and SplashTop are cited, and traditional malware usage has declined alongside rising RMM abuse.
The article notes that attackers use RMMs not just for initial access but for ongoing intrusion activities, and calls for vendors to implement restrictions and provide more signal output to aid detection. 17 February 2026