Ransomware operators have drastically changed their strategy, moving away from simple, widespread malware distribution toward highly targeted campaigns that exploit legitimate enterprise software for stealth and persistence.
Starting in early 2025, several major ransomware groups began abusing popular remote access tools (RATs), such as AnyDesk and Splashtop, to gain a foothold inside corporate networks. By silently installing or hijacking these tools, adversaries bypass standard security controls that typically trust signed installers. This allows them to achieve initial access without triggering conventional detection mechanisms, leaving organizations to discover suspicious remote sessions connecting from unexpected locations.
Seqrite analysts have noted that attackers typically use credential stuffing or phishing to obtain privileged accounts. They then use the remote access tools to move laterally across the network. Instead of relying on custom malware binaries, threat actors use existing administration frameworks. This allows their malicious activity to blend in with everyday IT operations, making them practically invisible to older endpoint protection systems.
Profound Impact and Persistence Tactics
The consequences of these campaigns are significant. Victims report encrypted file shares, disabled backups, and compromised RAT credentials used to lock out legitimate administrators. High-profile intrusions involving ransomware like LockBit and Black Basta have seen attackers combine RAT abuse with file-shredding commands to erase forensic evidence, increase their dwell time, and maximize ransom demands. This approach has caused costly downtime and data loss, highlighting the need for organizations to stop automatically trusting routine IT utilities.
A critical part of these operations is the attackers' ability to maintain control through remote administration software. Two main persistence methods have been observed:
- Hijacking Preinstalled Tools: Attackers scan for installed applications and modify configuration files or inject malicious credentials. This grants them unattended access without creating any new executable files on the disk, successfully evading antivirus scanning by abusing whitelisted programs.
- Silent Installation: When no remote access tools are preinstalled, attackers deploy lightweight installers using little-known command-line arguments like /VERYSILENT or /NORESTART. This installs the RAT as a service that launches at boot, providing a persistent entry point.
Once embedded, the remote tool often runs with elevated privileges. This is frequently combined with registry manipulation and hidden scheduled tasks, ensuring that if incident responders remove one backdoor, a secondary access path remains open. This layered persistence model makes remediation difficult and requires defenders to move toward behavior-based monitoring that flags anomalous tool usage instead of relying on file signatures.
By abusing trusted software, ransomware gangs have effectively turned IT convenience into their most potent weapon. Defenders must implement strict application whitelisting, enforce multi-factor authentication, and monitor command-line arguments associated with common remote access tools to stop these stealthy tactics before encryption occurs.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
