MagicSword
Back to Blog

CISA Called It: Stop RMM Tool Abuse Before Attackers Do

CISA, FBI, and MS-ISAC warn that attackers increasingly abuse legitimate RMM tools like AnyDesk, Atera, ScreenConnect, and TeamViewer for persistent access and ransomware. This post explains why LOLRMM exists and how MagicSword turns that warning into enforced blocking.

February 5, 20268 min read
Visualization of authorized vs blocked RMM tools using blue and red padlocks in an intelligence-driven application control environment.

On July 25, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and MS-ISAC released an updated joint advisory AA23-320A with a stark warning:

"Threat actors are increasingly abusing legitimate remote monitoring and management (RMM) software to gain persistent access to compromised networks."

The advisory wasn't subtle. Federal agencies identified RMM abuse as one of the most critical attack vectors in modern cyber operations, calling out specific tools like AnyDesk, Atera, ConnectWise (ScreenConnect), Level.io, N-able, Splashtop, Syncro, and TeamViewer as being actively weaponized by ransomware groups, initial access brokers, and advanced persistent threat actors.

This is exactly why we built LOLRMM. This is exactly why MagicSword exists.

What CISA Actually Said

The advisory pulled no punches about the severity of the RMM abuse problem:

The Threat Landscape

From CISA's advisory:

"Threat actors are known to abuse legitimate RMM software to gain persistent access to a victim network and deploy ransomware. These RMM tools provide remote management of systems, allowing an attacker to perform tasks with the same privileges and capabilities as system administrators."

The agencies documented how attackers systematically abuse RMM tools across every phase of cyber operations:

  • Initial Access: Deploying RMM software after phishing or credential compromise
  • Persistence: Using RMM tools to maintain long-term access even after password resets
  • Lateral Movement: Leveraging built-in RMM capabilities to spread across networks
  • Command and Control: Using RMM infrastructure to blend with legitimate IT traffic
  • Data Exfiltration: Exploiting file transfer features to steal sensitive information
  • Ransomware Deployment: Using RMM tools to simultaneously encrypt hundreds of endpoints

The Specific Tools Under Attack

CISA explicitly named the RMM platforms that threat actors prefer:

  • AnyDesk - Lightweight remote desktop software frequently dropped by ransomware operators
  • Atera - Cloud-based RMM heavily abused by initial access brokers
  • ConnectWise (ScreenConnect) - Enterprise RMM that appears in over 40% of ransomware incidents
  • Level.io - MSP-focused platform weaponized in supply chain attacks
  • N-able - Comprehensive RMM suite exploited for large-scale compromises
  • Splashtop - Remote support tool deployed for persistent backdoor access
  • Syncro - All-in-one RMM abused for credential theft and lateral movement
  • TeamViewer - Widely-deployed remote access tool leveraged across countless breaches

Sound familiar? That's because these are the exact tools cataloged in the LOLRMM project.

Why Traditional Defenses Fail

The advisory explained why RMM abuse is so effective:

"RMM software is legitimate and frequently used by IT professionals to remotely manage devices. As a result, defensive tools may not flag RMM software as malicious, even when used by threat actors."

Let's translate that: Your EDR won't catch it. Your antivirus won't flag it. Your behavioral analytics will struggle to distinguish legitimate IT support from attacker activity.

The tools are signed. They're trusted. They're expected in enterprise environments. And that's exactly why attackers love them.

This Is Why LOLRMM Exists

When CISA released that advisory in November 2023, the LOLRMM project was already underway, launched in August 2023 specifically to address this exact problem. We saw what federal agencies were now documenting: RMM tool abuse had become the attack vector of choice for sophisticated threat actors.

The LOLRMM project catalogs every RMM tool that attackers weaponize, documenting:

  • Executable names and file paths where RMM agents install themselves
  • Network indicators including C2 domains and communication ports
  • File artifacts like configuration files and persistence mechanisms
  • Registry keys used for installation and startup
  • Certificates used to sign the software
  • Threat intelligence linking specific RMM tools to known threat actors
LOLRMM is a curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors.

CISA's advisory validated what we already knew from incident response work: defenders needed a comprehensive intelligence source for RMM tool abuse patterns. The LOLRMM project became that source, a community-driven catalog that turns scattered threat intelligence into structured, actionable data.

But intelligence alone doesn't stop attacks. You need enforcement.

This Is Why MagicSword Exists

CISA's advisory included mitigation recommendations:

"Organizations should maintain an up-to-date inventory of authorized RMM software and configurations. Implement application allowlisting to restrict execution of unauthorized software."

Great advice. Here's the problem: most organizations don't know which RMM tools they're actually using, can't maintain an accurate inventory as tools get deployed ad-hoc, and have no way to enforce application allowlisting at scale.

MagicSword solves this.

Threat-Informed Application Control

MagicSword integrates LOLRMM intelligence directly into Application Control policies, providing kernel-level enforcement against unauthorized RMM deployment.

Here's how it addresses CISA's recommendations:

1. Maintain RMM Inventory

CISA says: Know what RMM tools you're using.

MagicSword does: Automatically discovers RMM software across your environment and compares it against the LOLRMM catalog. You get immediate visibility into which remote management tools exist on your endpoints, authorized or not.

MagicSword security console showing high-severity alert for wscript.exe with threat intelligence match and blocked execution, including file details, LOLBAS mapping, and investigation options.

2. Application Allowlisting

CISA says: Only allow authorized RMM tools to execute.

MagicSword does: Enforces Application Control policies that explicitly permit your approved RMM solution while blocking everything else from the LOLRMM catalog. When an attacker tries to drop AnyDesk on a workstation where your organization uses ScreenConnect, the kernel blocks execution before the attacker gains access.

3. Monitor for Suspicious RMM Activity

CISA says: Watch for unusual RMM deployments or configurations.

MagicSword does: Provides real-time alerts when unauthorized RMM tools attempt to execute, with full threat intelligence context showing which ransomware groups use that specific tool, which MITRE ATT&CK techniques it enables, and which recent breaches involved that RMM platform.

LOLRMM intelligence dashboard displaying 1,022 remote monitoring and management tool entries, with most blocked, and a table of RMM filenames and path patterns actively blocked by policy.


The Enforcement Gap CISA Identified

The advisory acknowledged a critical problem:

"Note that many RMM software vendors provide legitimate services and are not themselves malicious. However, threat actors abuse these tools for malicious purposes."

This creates an impossible challenge for traditional security tools. How do you block malicious use of legitimate software? Signature-based detection can't help - the software is legitimately signed. Behavioral analysis struggles - IT teams legitimately use these tools the same way attackers do.

Application control solves this by enforcing policy, not trying to detect intent.

MagicSword doesn't try to determine if AnyDesk is being used maliciously or legitimately. It enforces a simple policy: "AnyDesk is not authorized in this environment." If your organization doesn't use AnyDesk, it doesn't run. Period.

The attacker's intent is irrelevant when the software can't execute in the first place.

The Call to Action CISA Issued

The advisory concluded with clear guidance for organizations:

"CISA, FBI, and MS-ISAC strongly urge organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of RMM software abuse."

Those mitigations included:

  • Maintain inventory of authorized RMM software ✓
  • Implement application allowlisting ✓
  • Monitor for suspicious RMM activity ✓
  • Restrict RMM software installation privileges ✓
  • Segment networks to limit RMM tool reach ✓

MagicSword addresses every single one of these recommendations through threat-informed application control.

But here's the critical question: Has your organization actually implemented these mitigations? Or is the CISA advisory sitting in a folder somewhere while attackers continue to abuse RMM tools across your environment?

From Intelligence to Action

The LOLRMM project provides the intelligence. CISA provides the warnings. MagicSword provides the enforcement.

When federal agencies issue advisories about attack vectors, they're documenting what incident responders already see every day: attackers systematically abusing specific tools and techniques at scale. The question isn't whether your organization will face RMM tool abuse - it's whether you'll be protected when it happens.

Here's what that protection looks like:

Complete LOLRMM Catalog Integration - Every RMM tool CISA warned about is already in our enforcement policies

Kernel-Level Blocking - WDAC enforcement that stops unauthorized RMM tools before they execute

Real-Time Threat Intelligence - Immediate attribution showing which threat actors use which RMM tools

Executive Visibility - Clear reporting on prevented attacks and security posture

Fraction of the Cost - $5/endpoint monthly vs. millions in ransom payments

The Bottom Line

CISA warned us. The FBI confirmed it. MS-ISAC documented it. RMM tool abuse is one of the most critical attack vectors in modern cyber operations.

The threat actors CISA warned about are actively deploying the RMM tools documented in LOLRMM. They're targeting organizations just like yours. They're counting on traditional security controls failing to distinguish legitimate RMM use from malicious abuse.

MagicSword breaks that attack pattern. When attackers try to deploy the RMM tools CISA explicitly named - AnyDesk, Atera, ConnectWise, Level.io, N-able, Splashtop, Syncro, TeamViewer - our platform blocks them at the kernel level with full threat intelligence context.

This is why LOLRMM exists: To catalog the tools attackers abuse.

This is why MagicSword exists: To stop those tools from running in your environment.

CISA issued the warning. We built the solution. The only question left is: Will you implement it before the next breach?


Want to keep up with how modern attacks actually work? Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence from the team tracking abused tools every day.

If you want to see how this intelligence turns into real blocking, stopping abused tools before they execute, you can book a demo to see how MagicSword blocks the same RMM abuse patterns CISA warned about using threat-informed application control.

You can also explore the intelligence behind it: visit LOLRMM.io to see the growing catalog of RMM tools threat actors abuse, and read CISA’s advisory AA23-320A on legitimate remote management tool abuse.

Michael Haag

Written by

Michael Haag

Threat Researcher

In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.

Continue Reading

View all
Magic Sword
Contact UsRefund PolicyPrivacy PolicyTerms of ServiceBlog

© 2026 MagicSword. All rights reserved.