{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/anydesk/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Trigona"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","AnyDesk","Mimikatz","PowerRun"],"_cs_severities":["high"],"_cs_tags":["trigona","ransomware","data exfiltration","custom tool"],"_cs_type":"threat","_cs_vendors":["Microsoft","Nirsoft","AnyDesk"],"content_html":"\u003cp\u003eTrigona ransomware, initially launched in October 2022, has been observed using a custom command-line tool named \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate data from compromised environments. This shift, observed in March 2026, suggests an effort to avoid detection by security solutions that commonly flag publicly available tools like Rclone and MegaSync. Symantec researchers believe this indicates a strategic investment in proprietary malware to maintain a lower profile during critical phases of attacks. The custom tool supports five simultaneous connections per file for faster data exfiltration via parallel uploads, rotates TCP connections after 2GB of traffic to evade monitoring, offers options for selective file type exfiltration, and utilizes an authentication key to restrict access to stolen data. Despite disruptions in October 2023, Trigona has resumed operations, incorporating additional techniques like installing the Huorong Network Security Suite tool HRSword and disabling security products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eInstallation of the Huorong Network Security Suite tool HRSword as a kernel driver service.\u003c/li\u003e\n\u003cli\u003eDeployment of tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security-related products by leveraging vulnerable kernel drivers to terminate endpoint protection processes.\u003c/li\u003e\n\u003cli\u003eExecution of utilities with PowerRun to launch apps, executables, and scripts with elevated privileges, bypassing user-mode protections.\u003c/li\u003e\n\u003cli\u003eDeployment of AnyDesk for direct remote access to the breached systems.\u003c/li\u003e\n\u003cli\u003eExecution of Mimikatz and Nirsoft utilities for credential theft and password recovery operations.\u003c/li\u003e\n\u003cli\u003eUse of the custom \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate valuable documents such as invoices and PDFs from network drives via parallel uploads, rotating TCP connections to evade monitoring, and using an authentication key to restrict data access.\u003c/li\u003e\n\u003cli\u003eFinal stage involving the deployment of Trigona ransomware, demanding ransom payment in Monero cryptocurrency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Trigona ransomware attacks result in significant data theft and encryption, disrupting business operations and causing financial losses. The group has demonstrated the capability to resume operations even after suffering disruptions, indicating a persistent threat. Observed data exfiltration has included high-value documents such as invoices and PDFs, demonstrating a targeted approach to data theft. Victims face potential regulatory penalties, reputational damage, and recovery costs associated with restoring systems and data. The number of victims and specific financial impact varies per campaign, but the potential for severe disruption and financial strain is consistent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u0026ldquo;uploader_client.exe\u0026rdquo; with command-line arguments indicative of data exfiltration (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to unusual or hardcoded server addresses used by the \u0026ldquo;uploader_client.exe\u0026rdquo; exfiltration tool (see IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection rules to identify the installation of Huorong Network Security Suite (HRSword) as a kernel driver service and tools like PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.\u003c/li\u003e\n\u003cli\u003eMonitor for processes launched via PowerRun, especially if followed by credential dumping or remote access tool execution.\u003c/li\u003e\n\u003cli\u003eReview AnyDesk usage for unusual connections or after-hours access, as this tool is used for remote access.\u003c/li\u003e\n\u003cli\u003eEnable robust logging for credential access attempts and password recovery activity associated with Mimikatz and Nirsoft tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T19:02:17Z","date_published":"2026-04-23T19:02:17Z","id":"/briefs/2026-05-trigona-custom-exfil/","summary":"Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.","title":"Trigona Ransomware Employing Custom Data Exfiltration Tool","url":"https://feed.craftedsignal.io/briefs/2026-05-trigona-custom-exfil/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["TeamViewer","LogMeIn","AnyDesk","ScreenConnect","ConnectWise","Splashtop","Zoho","RustDesk","n-able","Kaseya","BeyondTrust","Tailscale","JumpCloud","VNC","Datto","Auvik","SyncroMSP","Pulseway","NinjaOne","Liongard","Naverisk","Panorama9","Tactical RMM","MeshCentral","ISL Online","Goverlan","Iperius","Remotix","Mikogo","Action1","Elastic"],"content_html":"\u003cp\u003eThis detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or leverages an existing RMM tool on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).\u003c/li\u003e\n\u003cli\u003eThe compromised host establishes a connection to the resolved IP address associated with the RMM domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DNS Queries to Known RMM Domains from Non-Browser Processes\u0026rdquo; to your SIEM and tune the RMM domain list for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.\u003c/li\u003e\n\u003cli\u003eCorrelate with other alerts to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eReview process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-dns-non-browser/","summary":"Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.","title":"Suspicious DNS Queries to RMM Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","AteraAgent","AweSun","APC Admin","APC Host","BeyondTrust Remote Support","Bomgar","Remote Support","B4-Service","CagService","Domotz Agent","dwagsvc","DWRCC","FleetDeck Commander","GetScreen","GoToAssist","GoToResolve","ImperoClient","ImperoServer","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LMIIgnition","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMM","parsec","PService","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RCClient","RCService","RPCSuite","RustDesk","RemoteUtilities","saazapsc","ScreenConnect","Splashtop","Supremo","Syncro","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["remote-access-tool","command-and-control","rmm","windows"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is \u0026ldquo;now-9m\u0026rdquo;, and the rule triggers if two or more different vendors are detected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the initial access to discover other systems on the network.\u003c/li\u003e\n\u003cli\u003eAdditional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.\u003c/li\u003e\n\u003cli\u003eRemote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker\u0026rsquo;s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple RMM Vendors on Same Host\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check \u003ccode\u003eEsql.vendors_seen\u003c/code\u003e and \u003ccode\u003eEsql.processes_name_values\u003c/code\u003e for insight into the involved tools.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets to verify authorized RMM software installations.\u003c/li\u003e\n\u003cli\u003eIsolate any unauthorized or unexplained hosts and remove unapproved RMM tools.\u003c/li\u003e\n\u003cli\u003eEnforce a single approved RMM stack per asset class where possible.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-multiple-rmm-vendors/","summary":"This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-rmm-vendors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","Atera Agent","AweSun","APC Admin","APC Host","BeyondTrust","Remote Support","BarracudaRMM","Domotz Agent","DWService","FleetDeck Commander","GetScreen","GoTo","Impero Client","Impero Server","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMMAgent","NinjaRMMAgenPatcher","ninjarmm-cli","Parsec","Pulseway","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","SyncroLive","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool for remote access and control.\u003c/li\u003e\n\u003cli\u003eSecondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.\u003c/li\u003e\n\u003cli\u003eInvestigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.\u003c/li\u003e\n\u003cli\u003eEnforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets for approved RMM software to identify unauthorized installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-multiple-rmm-vendors/","summary":"This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/"}],"language":"en","title":"CraftedSignal Threat Feed — AnyDesk","version":"https://jsonfeed.org/version/1.1"}