A brand new report from Cofense Intelligence reveals a troubling pattern in cyberattacks: criminals are more and more hijacking official Distant Entry Instruments (RATs) to infiltrate laptop techniques. In contrast to malicious software program particularly designed for hacking, these instruments are constructed for lawful functions, usually utilized by IT professionals in firms. Their real nature makes them significantly harmful, as they will bypass conventional safety measures and person suspicion.
The Deception of Professional RATs
Menace actors are leveraging the inherent belief in these instruments to realize entry to sufferer machines, researchers famous within the weblog put up shared with Hackread.com. As soon as put in, these official RATs develop into a gateway for delivering additional dangerous packages, spying on person actions, or stealing delicate data like passwords and confidential enterprise information. The flexibility of those instruments, mixed with their look of being reliable software program, makes them a potent weapon within the fingers of cybercriminals.
Cofense Intelligence highlighted a number of ceaselessly abused official RATs. ConnectWise ScreenConnect, beforehand generally known as ConnectWise Management and ScreenConnect, emerged as the preferred alternative for attackers in 2024, showing in 56% of energetic menace reviews involving official RATs.
“ConnectWise RAT is probably the most popularly abused official distant entry device and accounted for 56% of all energetic menace reviews (ATRs) with official distant entry instruments in 2024,” wrote Kahng An from Cofense’s Intelligence Workforce of their report.
Its reputation is surging additional in 2025, with present assault volumes already matching these seen all through final 12 months. One other device, FleetDeck, noticed a surge in use through the summer time of 2024, significantly focusing on German and French audio system with finance-themed lures.
Frequent Assault Strategies and World Impression
Attackers make use of varied strategies to trick victims into putting in these instruments. For ConnectWise ScreenConnect, notable campaigns embody spoofing the US Social Safety Administration with emails falsely claiming to supply up to date profit statements.
These emails usually include hyperlinks to faux PDF information or on to the RAT installer. One other tactic noticed since February 5, 2025, includes emails pretending to be notifications about shared information on “filesfm,” main victims to obtain a seemingly official OneDrive shopper that’s, in reality, the ConnectWise RAT installer.
Based on Cofense, different official RATs are additionally being exploited. Atera, a complete distant monitoring and administration suite that integrates with instruments like Splashtop, has been utilized in campaigns focusing on Portuguese audio system in Brazil with faux authorized notices and invoices since October 2024.
Smaller, much less frequent RATs like LogMeIn Resolve (GoTo RAT), Gooxion RAT, PDQ Join, Mesh Agent, N-Ready, and Teramind have additionally been noticed in varied, usually localized, campaigns.
The benefit and low price of buying these instruments enable attackers to rapidly swap between completely different ones, posing a steady problem for cybersecurity safety, Cofense researchers concluded, including that such campaigns are sometimes one-off occasions which might be onerous to maintain.
“These campaigns are typically one-off occasions and don’t look like sustained over time. It’s potential that the menace actors rapidly pivot between completely different RATs due to the general giant variety of completely different choices which might be obtainable available on the market.”
