RMM Abuse Up 277%: How LOLRMM & MagicSword Stop It

The Huntress 2026 Cyber Threat Report landed a stat that should have been the story of the year. RMM abuse jumped 277% year-over-year and now accounts for nearly a quarter of all observed incidents. Roughly one in four. Traditional hacking tools dropped 53%. RATs dropped 20%. Attackers are not just adding RMMs to their toolkit. They are actively ditching malware in favor of the tools your IT team already runs.

This is the single biggest shift in adversary tradecraft right now. And it is not slowing down.

Two blogs this week make the point better than any report ever could.

What Huntress Published on April 17

Huntress has been watching Bomgar exploitation since CVE-2026-1731 dropped in February. A second wave kicked off April 3. The April 17 advisory catalogs what happened:

April 14: Ransomware deployed from a compromised Bomgar instance at a dental software company. Three downstream companies hit.
April 15: MSP compromised via Bomgar. 78 businesses isolated. Four downstream customers breached before containment.
April 12: LB3.exe executed through a Bomgar session. LockBit 3.0 builder lineage. BYOVD drivers staged at C:\Windows\System32\drivers\hrwfpdrv.sys and C:\temp\PoisonX.sys. The second one links to PoisonKiller, an EDR-kill tool briefly on GitHub in early April (cataloged in LOLDrivers).
April 5: nltest for domain recon. New domain admin created. AnyDesk installed as secondary access.
April 3: Bomgar remote shell as SYSTEM drops setup.msi from C:\PerfLogs\. The MSI installs Atera. Scheduled task AteraAgentServiceWatchdog created for persistence.
March 11: Renamed SimpleHelp binary dropped to c:\PerfLogs\InputUpdate.exe, pointed at 146.70.41[.]131.

Attack flow: vulnerable Bomgar → SYSTEM shell → second RMM → persistence → ransomware.

What Microsoft Published on April 18

Microsoft's 19-minute playbook breakdown tracks a different opening move and the same ending.

Attacker-controlled tenant sends a Teams chat. Helpdesk impersonation. User ignores the external flag and accepts Quick Assist. 30 to 120 seconds of reconnaissance. Staged payloads land in ProgramData.

Then the sideload chain against signed binaries loading attacker DLLs from non-standard paths:

AcroServicesUpdater2_x64.exe → msi.dll
ADNotificationManager.exe → vcruntime140_1.dll
DlpUserAgent.exe → mpclient.dll
werfault.exe → Faultrep.dll

Encrypted loader config written to the registry. Havoc-style in-memory reconstruction. Outbound HTTPS beacons masquerading as update traffic. WinRM for lateral movement toward domain controllers. Level RMM deployed via msiexec.exe as a redundant control channel. Rclone to an external bucket, excluding *.mdf files to reduce transfer size.

The FOSS Angle That Just Got Louder

Nav Toor's post this week put RustDesk in front of a much wider audience. 102,000+ stars. Free. Self-hostable. No account needed. Works across Windows, Mac, Linux, Android, iOS. Direct P2P. End-to-end encryption. AGPL-3.0.

Defenders have not been thinking about RustDesk. Attackers already are.

That is the pattern. Commercial RMMs get watched. FOSS RMMs get missed until they are on 500 of your endpoints.

RustDesk is on LOLRMM. So is AnyDesk, Atera, Bomgar, ScreenConnect, Level, SimpleHelp, Quick Assist, TeamViewer, Splashtop, and hundreds more. Catalog exists. Intel is free. The question is what you do with it.

The Inventory That Matters

Map both blogs against the three LOL projects and almost every executable, driver, and sideload host is already documented by the community:

LOLRMM covers the remote access surface. Bomgar, Quick Assist, Level, AnyDesk, Atera, ScreenConnect, SimpleHelp, RustDesk, TeamViewer.
LOLBAS covers the living off the land binaries. werfault.exe, msiexec.exe, nltest.exe, plus the script hosts behind the recon burst.
LOLDrivers covers the BYOVD staging. PoisonKiller, EDR-kill drivers, the kernel-level kill chain.

This intel has been free and public for years. The question has never been "do we know these tools exist?" The question is "are we using the intelligence to block anything?"

Detection Should Drive Prevention

Microsoft's blog finishes with ten KQL queries. Huntress published detailed IOCs, file hashes, driver names, command lines. This is exactly the output a mature research team should produce.

The gap is not in the intelligence. The gap is in what we do with it.

If Huntress tells you Level RMM is being dropped as a second-stage persistence tool, and you do not use Level, that research just gave you a block rule. Not a hunt. Not a detection. A block.

If Microsoft tells you PoisonX.sys is being used to kill EDR agents, and no legitimate software in your environment needs that driver, that research just gave you a WDAC driver block. Not a query to run weekly.

Detection is how we learn what attackers are doing. Prevention is what we do with that knowledge. Every IOC in a threat report, every KQL query, every hash in a Huntress advisory is an opportunity to decide: do I need this in my environment? If no, it belongs on a block list. That frees your detection stack to focus on the residue, the tools that are legitimate in your environment and need behavioral watching. PowerShell from your actual admins. RDP from your actual jump hosts. ScreenConnect from your actual helpdesk. That is where detection earns its keep.

With RMM abuse up 277% year over year, the math is simple. The defenders who get ahead are the ones who turn every new IOC into a policy the same day.

How LOLRMM and MagicSword Help You Stop This

LOLRMM was built to solve exactly the inventory problem both blogs expose. Every RMM documented. Every artifact mapped. Executables, certificates, network indicators, registry keys, file paths. Free. Community-driven. Updated as new tools show up.

MagicSword is the enforcement layer. We integrate LOLRMM, LOLBAS, and LOLDrivers intelligence directly into Application Control policies and push them across your fleet. Here is what that looks like against the Huntress and Microsoft attack chains:

Bomgar compromise → AnyDesk dropped for persistence. AnyDesk is not on your approved RMM list. block rule for anydesk.exe --install returns an error. No SOC ticket. No analyst triage.

Quick Assist session → Level RMM deployed via msiexec. Level is not on your approved list. msiexec.exe refuses the install. Of course, we can’t always block MSIexec - but we can block quickassist.exe.

DLL sideload against AcroServicesUpdater2_x64.exe loading msi.dll from ProgramData. Path rule says msi.dll does not load from C:\ProgramData\Adobe\ARM\. Sideload fails. Loader never recovers its registry-backed config.

PoisonX.sys staged at C:\temp\PoisonX.sys for EDR kill. LOLDrivers feeds the WDAC driver block policy. PoisonKiller's driver is blocked at load time by Code Integrity. EDR stays alive. Ransomware stage fails.

Rclone on a finance team workstation. Rclone is not signed by any publisher your environment trusts and not on your approved list. Execution denied. Exfil never starts.

Every one of these controls uses tooling that ships free in Windows today. MagicSword is the control plane that turns the intelligence into policy, pushes it across 50,000 endpoints, and keeps it current as LOLRMM adds the next 20 tools.

Remember the WDAC block supersedes allow rule. You can trust a vendor broadly and still block a specific vulnerable version, a specific weaponized driver, a specific RMM you don't use.

Not Ready to Block Yet? We Got You on the Intel Side

Not every team is ready to flip enforcement on day one. That is fine. We still want you to get value from LOLRMM.

The project is entirely open source. The full catalog of RMMs, artifacts, and abuse intel lives on GitHub at github.com/magicsword-io/LOLRMM. Pull it, parse it, load it into your SIEM or EDR, and start hunting.

We also maintain a library of detections ready to drop into your tooling at github.com/magicsword-io/LOLRMM/tree/main/detections. Sigma rules, queries, and artifacts you can port to Splunk, Sentinel, Elastic, or whatever your stack looks like.

If you just need help figuring out what's running in your environment and where to start, reach out. We will help you identify. No sales pitch required.

The Bottom Line

RMM abuse is up 277%. It is not slowing down. It is the primary initial access and persistence pattern for the ransomware groups currently running the market. Every major threat report this year said the same thing. Huntress and Microsoft both put new evidence on the table this week.

The intelligence to defend against this is free and public. LOLRMM, LOLBAS, LOLDrivers. Three community projects, years of curated data, no license fee.

The tooling to act on that intelligence is already on every Windows endpoint you own. WDAC. Code Integrity. Authenticode.

What's missing, for most environments, is the bridge between the intelligence and the enforcement. That is the part MagicSword fills.

Want to keep up with how modern attacks actually work? Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence.

Ready to see what's actually running on your endpoints? MagicSword is free for up to 100 endpoints. No strings attached. No credit card. No trial expiration. Deploy in audit mode, see what's loading, and start blocking what shouldn't be. Sign up free and get protected today.

Previous reading: