{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/malspam/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tiflux","UltraVNC","Splashtop","ScreenConnect"],"_cs_severities":["high"],"_cs_tags":["remote-access","rmm","malspam","persistence"],"_cs_type":"advisory","_cs_vendors":["Tiflux","Microsoft","Splashtop","ScreenConnect","UltraVNC"],"content_html":"\u003cp\u003eA malspam campaign has been observed utilizing Tiflux, a commercial RMM tool, to gain unauthorized access and maintain persistence within victim environments starting around February 2026. The campaign employs phishing emails containing fake document lures, ultimately leading to the installation of Tiflux alongside other remote administration tools, including UltraVNC, Splashtop, and ScreenConnect. What makes this campaign particularly concerning is the inclusion of outdated and potentially vulnerable components within the Tiflux installer, such as the HwRwDrv.sys driver, which is associated with privilege elevation and signed using expired certificates. Huntress has observed an increase in Tiflux usage across various incidents, indicating a trend of threat actors experimenting with RMMs for stealthy access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA phishing email, appearing to be a business service agreement, is sent from \u003ccode\u003ebusinessservices@hg[.]lawdepotisland[.]com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe email contains a link that redirects the victim to a page hosted on \u003ccode\u003elenwillfilenetwork[.]com\u003c/code\u003e protected by a Cloudflare CAPTCHA to filter out automated analysis.\u003c/li\u003e\n\u003cli\u003eUpon successful CAPTCHA completion, the victim is redirected to a page prompting them to download a \u0026ldquo;secured document.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eClicking the download link retrieves an MSI installer named \u0026ldquo;Network Solutions Agreement.msi\u0026rdquo;, which is cryptographically signed by \u0026ldquo;Tiflux Sistema de Gestão LTDA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe MSI installer extracts and installs various Tiflux components, including \u003ccode\u003eTiAgent.exe\u003c/code\u003e (the main RMM orchestrator) and \u003ccode\u003eTiPeerToPeer.exe\u003c/code\u003e (a backchannel communication tool).\u003c/li\u003e\n\u003cli\u003eThe installer also deploys silent installers for third-party dependencies such as UltraVNC and compression utilities 7zip and tar, expanding remote access capabilities.\u003c/li\u003e\n\u003cli\u003eThe threat actor establishes persistence on the system using the installed RMM tools.\u003c/li\u003e\n\u003cli\u003eUsing the RMM access, the attacker performs unauthorized access and credential theft, profiling the system and transmitting screenshots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the establishment of unauthorized remote access, persistent control, and potential data theft from compromised systems. The use of Tiflux alongside other remote administration tools such as UltraVNC, Splashtop, and ScreenConnect amplifies the impact. The inclusion of a vulnerable driver may lead to privilege escalation, enabling attackers to perform more invasive actions on the compromised host. The number of impacted Huntress customers is unknown, but the increased use of Tiflux since February 2026 indicates a growing threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tiflux RMM Installation via MSI\u0026rdquo; to identify potential installations of the Tiflux RMM based on the MSI installer file name and publisher.\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003ehg[.]lawdepotisland[.]com\u003c/code\u003e and \u003ccode\u003elenwillfilenetwork[.]com\u003c/code\u003e at the network perimeter to prevent initial access via the observed malspam campaign.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for execution of \u003ccode\u003eTiAgent.exe\u003c/code\u003e and \u003ccode\u003eTiPeerToPeer.exe\u003c/code\u003e, core components of the Tiflux RMM, and investigate any suspicious instances.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unsigned or untrusted executables in user directories, mitigating the risk of malicious software execution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect UltraVNC Installation\u0026rdquo; to identify silent installations of UltraVNC.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T21:01:38Z","date_published":"2026-05-14T21:01:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tiflux-rmm/","summary":"A malspam campaign is leveraging the Tiflux RMM to gain remote access and persistence on victim machines, abusing legitimate remote management software for stealthy access and persistence.","title":"Tiflux RMM Abused in Malspam Campaign","url":"https://feed.craftedsignal.io/briefs/2026-05-tiflux-rmm/"}],"language":"en","title":"CraftedSignal Threat Feed — Malspam","version":"https://jsonfeed.org/version/1.1"}