191/68 Tuesday, May 27, 2025
A May 2025 report by Cofense Intelligence highlights a troubling cybersecurity trend: cybercriminals are increasingly abusing legitimate remote access tools (RATs) such as ConnectWise and Splashtop to infiltrate computer systems. Originally designed for IT professionals, these trusted tools have become double-edged swords — their legitimacy and familiarity allow them to bypass traditional security measures and raise little suspicion from users. Once installed, these tools serve as gateways for malware deployment, enabling threat actors to spy on user activity or steal sensitive data.
According to Cofense, ConnectWise ScreenConnect emerged as the most abused legitimate RAT in 2024, appearing in 56% of threat reports involving legitimate remote access tools, and its use continues to rise in 2025. Attackers often deliver it via phishing emails disguised as communications from official entities — such as fake welfare notifications from the U.S. Social Security Administration or fake file-sharing alerts from services like files.fm, tricking users into downloading the maliciously deployed RAT.
Other tools are also on the rise:
- FleetDeck usage spiked in summer 2024, especially in campaigns targeting German and French-speaking users with finance-themed lures.
- Atera, a remote monitoring and management (RMM) platform that integrates Splashtop, has been used to target users in Brazil with fake invoices and legal documents.
Researchers warn that the low cost, high accessibility, and ease of deployment of these tools make them attractive to cybercriminals. The ability to quickly switch between RATs complicates defense efforts, as such attacks tend to be sporadic and difficult to track over time.
Cofense concludes that this growing trend poses a major challenge for cybersecurity, especially in environments where trusted tools can be easily repurposed for malicious ends.
Source https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/
