{"id":10357,"date":"2025-07-30T09:00:00","date_gmt":"2025-07-30T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/email-delivered-rmm\/"},"modified":"2026-05-25T09:12:43","modified_gmt":"2026-05-25T08:12:43","slug":"email-delivered-rmm","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/","title":{"rendered":"Email-Delivered RMM: Abusing PDFs for Silent Initial Access"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Email-Delivered RMM: Abusing PDFs for Silent  <span class=\"blue-text\">Initial Access<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Email Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Ransomware                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                30.07.2025                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Jaa t\u00e4m\u00e4                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/&#038;title=Email-Delivered%20RMM:%20Abusing%20PDFs%20for%20Silent%20Initial%20Access\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Email-Delivered RMM: Abusing PDFs for Silent Initial Access&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                            <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_c7303026aab558281b95a647da91a144\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Jeremy Ong<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Sis\u00e4ll\u00f6n navigointi            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Valitse jakso                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/&#038;title=Email-Delivered%20RMM:%20Abusing%20PDFs%20for%20Silent%20Initial%20Access\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Email-Delivered RMM: Abusing PDFs for Silent Initial Access&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2>Introduction<\/h2>\n<p>Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging Remote Monitoring and Management (RMM) tools embedded within PDF documents. The activity primarily targets organizations in France and Luxembourg, using socially engineered emails to deliver a clean PDF containing an embedded link to an RMM installer, a simple but effective method of bypassing many email and malware defences.<\/p>\n<p>RMM tools, while legitimate in nature, have emerged as a popular initial access and persistence vector for threat actors. Their use enables attackers to gain access to the networks, disable security features, escalate privileges, and deploy subsequent malware using a \u201cclean\u201d and trusted tool. This tactic is neither new nor uncommon; notably, the <a href=\"https:\/\/intel471.com\/blog\/threat-hunting-case-study-rmm-software\" target=\"_blank\" rel=\"noopener\">Black Basta ransomware group has been observed impersonating IT support personnel to trick victims into installing RMM tools<\/a>, which were then used to deliver ransomware.<\/p>\n<p>The purpose of this blog is to highlight the risks posed by such tooling, and provide awareness and insights into the ongoing, trending activity with an emphasis of the evolution of the RMM tools used by threat actors.<\/p>\n<h2>Activity Overview<\/h2>\n<p>The activity observed and tracked by WithSecure since November 2024 represents a highly focused pattern, primarily targeting organizations in France and Luxembourg. The threat actors leverage carefully crafted PDFs tailored to the victim\u2019s industry while also referencing the specific RMM tool being deployed. These PDFs are often disguised to look like invoices, contracts, or property listings to enhance credibility and lure victims into clicking the embedded link. For instance, one PDF used to target a real estate organization in the Netherlands was written in Dutch and included blurred images of properties. This design was intended to create the illusion of legitimate content that has been obscured, prompting the victim to install a program. In this case, the program was FleetDeck RMM.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/rmmpdf1.png.webp\" alt=\"\" \/><\/figure>\n<p>While the majority of observed activity has focused on France and Luxembourg, it has not been limited to these countries. Most cases have occurred within Europe, suggesting a regional targeting strategy. Moreover, the inclusion of Luxembourg as a primary target is particularly interesting. Despite its proportionately small population compared to other European countries, Luxembourg has one of the highest GDPs per capita globally, making it an appealing target for financially motivated threat actors. The activity appears to be prioritizing high-value sectors such as energy, government, banking, and construction industries, commonly targeted in cybercrime. This reinforces the idea that the threat actors are targeting organizations where a successful compromise could yield greater financial gain, rather than broad-scale distribution, which typically involves sending out high volumes of generic phishing emails in hope that a few recipients will take the bait.<\/p>\n<p>Although isolated activities have also been seen outside of Europe, the overall geographic pattern supports the likelihood of a Europe-based or Europe-focused threat actor, with a strong understanding of local language and business sectors.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/rmmpdf2.png.webp\" alt=\"\" \/><\/figure>\n<h2>Delivery Vector<\/h2>\n<p>The delivery mechanism used in these activities centers around PDF documents containing a single embedded direct download link to an RMM installer. These PDFs are typically distributed via social engineering emails, crafted to appear relevant to the victim\u2019s industry or role. To enhance credibility, the threat actor either spoofs email addresses or registers lookalike domains. In many cases these emails impersonate real employees in significant roles from the spoofed organization, further increasing their authenticity. This combination of email spoofing and impersonation tactics significantly improves the success rate of the phishing email.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/rmmpdf3.png.webp\" alt=\"\" \/><\/figure>\n<p>The embedded links within the PDFs point directly to download URLs generated by the RMM vendors when the threat actor registers an account on the platform. These URLs are unique and may include information such as access key, which link the installer back to the attacker\u2019s account. Since RMM tools are commonly used for legitimate IT support, this tactic allows the attackers to bypass email and antivirus scans, not only on the email attachment itself but also on the embedded URL and the downloaded executable.<\/p>\n<p>In more recent activities, a notable shift in delivery method has been the abuse of Zendesk as a distribution channel. Instead of relying solely on traditional phishing emails, the threat actor has submitted tickets or replies through Zendesk that include the malicious PDF. While the exact content of these tickets or replies remains unclear, analysis from VirusTotal indicates that the malicious PDFs were being downloaded from Zendesk hosted URLs. Although Zendesk scans attachments for malware, the embedded link within the PDF points to a clean, signed RMM installer hosted on a reputable domain, allowing them to evade detection. This shift likely reflects an effort to bypass email security controls by leveraging a trusted platform that is not typically associated with phishing delivery.<\/p>\n<h2>RMM Tooling<\/h2>\n<p>WithSecure has observed the use of several different RMM tools across the tracked activity cluster. These include well-known solutions such as FleetDeck, Atera, and Bluetrait, among others. The selection of tools does not appear to be tailored to the victim\u2019s industry or region. Instead, the common factor among these tools is their availability via direct download links and the fact that they do not require any further setup or configuration after installation. This enables threat actors to streamline the infection process. Once the victim clicks the embedded link and runs the installer, the RMM tool becomes immediately operational and often grants remote access without requiring further user interaction or authentication steps. A notable exception to this pattern is the use of ScreenConnect, which was delivered via a redirect URL embedded in the PDF rather than a direct download link. This may have been done to avoid exposing the RMM instance domain, which appears to be visible in direct download links based on VirusTotal searches. This approach could make it more difficult for defenders to attribute or track the activity.<\/p>\n<p>While WithSecure began tracking this activity in November 2024, earlier instances of RMM usage have been observed in VirusTotal submissions dating back to July 2024.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/rmmpdf4.png.webp\" alt=\"\" \/><\/figure>\n<h2>File metadata<\/h2>\n<p>Metadata analysis of the PDFs used in this activity cluster reveals notable patterns that offer insight into the tooling used during PDF creation. WithSecure has identified seven distinct values in the author metadata field:<\/p>\n<ul>\n<li>Dennis Block<\/li>\n<li>Guillaume Vaugeois<\/li>\n<li>Alina Georgiana Mihalcea<\/li>\n<li>WorldStream Customer<\/li>\n<li>ALEXANDERS PARAIN<\/li>\n<li>DABA DABA<\/li>\n<li>COMPTA VDB<\/li>\n<\/ul>\n<p>While these names do not appear to correspond to known threat actors, and no clear linkage has been established between them, their inconsistent and seemingly random nature suggests that they may be randomly assigned. This could reflect the use of varied tools to generate the phishing documents, or an intentional effort to diversify metadata in order to evade detections.<\/p>\n<p>Further metadata analysis, specifically the creator and producer fields, provides additional insight into the tools used to generate these PDFs. Several samples indicate the use of common document editing platforms, including:<\/p>\n<ul>\n<li>Microsoft Word<\/li>\n<li>Canva<\/li>\n<li>ILovePDF<\/li>\n<\/ul>\n<p>These findings indicate the use of widely available tools in the document creation process, possibly to streamline production or obscure the origin of the files.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/rmmpdf5.png.webp\" alt=\"\" \/><\/figure>\n<table cellpadding=\"3\" cellspacing=\"0\" border=\"1\">\n<caption>&nbsp;<\/caption>\n<tbody>\n<tr>\n<td><b>Author<\/b><\/td>\n<td><b>Tool (Creator\/Producer)<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"301\" valign=\"top\">\n<p>Dennis Block<\/p>\n<\/td>\n<td width=\"301\" valign=\"top\">\n<p>Microsoft Word, ILovePDF<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"301\" valign=\"top\">\n<p>Guillaume Vaugeois<\/p>\n<\/td>\n<td width=\"301\" valign=\"top\">\n<p>Canva<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"301\" valign=\"top\">\n<p>Alina Georgiana Mihalcea<\/p>\n<\/td>\n<td width=\"301\" valign=\"top\">\n<p>Canva<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"301\" valign=\"top\">\n<p>WorldStream Customer<\/p>\n<\/td>\n<td width=\"301\" valign=\"top\">\n<p>Microsoft Word<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"301\" valign=\"top\">\n<p>ALEXANDERS PARAIN<\/p>\n<\/td>\n<td width=\"301\" valign=\"top\">\n<p>Canva<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"301\" valign=\"top\">\n<p>DABA DABA<\/p>\n<\/td>\n<td width=\"301\" valign=\"top\">\n<p>Canva<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"301\" valign=\"top\">\n<p>COMPTA VDB<\/p>\n<\/td>\n<td width=\"301\" valign=\"top\">\n<p>Canva<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. Summary of author metadata and PDF creation tools used in observed samples<\/p>\n<p>Mitigation<\/p>\n<p>To reduce exposure to this activity cluster, organizations should implement a combination of technical controls and user awareness measures. Blocking direct downloads of known RMM installers can prevent initial access, particularly when tools like FleetDeck, Atera, or ScreenConnect are not part of the approved IT stack. Furthermore, implementing application allowlisting can prevent unauthorized RMM tools from executing in the environment. Where possible, access to these installers and tools should be restricted unless explicitly required or approved by the IT or security team.<\/p>\n<p>In parallel, organizations should monitor for unauthorized RMM activity. Unusual process chains, such as a PDF opening a browser to download an RMM EXE or MSI file, should trigger alerts. Endpoint detection and response (EDR) solutions can help surface this behavior effectively.<\/p>\n<p>Finally, user training remains a critical defense. Employees should be made aware of phishing tactics involving fake invoices, contracts, or IT support requests that attempt to trick them into installing remote access software.<\/p>\n<h2>Conclusion<\/h2>\n<p>The activity cluster observed by WithSecure highlights how legitimate tools, such as RMM software, continue to be repurposed for malicious use. By embedding direct download links within PDF documents and delivering them through social engineering techniques, threat actors can bypass traditional detection mechanisms and lower the barrier for initial compromise.<\/p>\n<p>Although no post-infection payloads have been observed, the use of RMM tools strongly suggests their role as an initial access vector, potentially enabling further malicious activity. Ransomware operators in particular have favoured this approach, with groups such as Black Basta, Conti, Royal, and BlackCat previously observed using RMM tools to establish initial access before deploying ransomware payloads.<\/p>\n<p>This ongoing activity targeting France, Luxembourg, and surrounding regions underscores the importance of visibility into seemingly harmless tools, especially when delivered through unconventional vectors like embedded PDF links. Organizations should remain alert to the abuse of legitimate software and continue to harden their environments against socially engineered threats.<\/p>\n<h2>IOCS<\/h2>\n<h3>Observed RMM Installer URLs<\/h3>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"123\"><b>RMM Tool<\/b><\/td>\n<td valign=\"top\" width=\"479\"><b>Download URLs<\/b><\/td>\n<\/tr>\n<tr>\n<td rowspan=\"10\" valign=\"top\" width=\"123\">FleetDeck<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/QsoxdPZw4B9TXSgRtqBnNM?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/AXcsqzW86wmaHrjPNaYQTo?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/Z3dBX7JqaJpCzvCWLWYw2?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/HoX9E2imWqMazYqypRUuzv?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/16Dj3d4Fdn8NMMfbrVSeQn?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/Nhohu2abKJS6eQiQmDFcQF?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/JGGvyrtLZMfchTVtuz4Kzu?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/U4KA7AKnzheqApGs3H2dJb?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/Cy7aGZfvLsfKEuk8rEGPWn?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/agent[.]fleetdeck[.]io\/T9sTRrGyhJKjM4eFfqrnWy?win<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"123\">Action1<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/app[.]eu[.]action1[.]com\/agent\/7409f2b3-8fe0-11ef-8ef6-9f7ccf3fde70\/Windows\/agent\\(My_Organization\\)[.]msi<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"11\" valign=\"top\" width=\"123\">Bluetrait<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/moduleadobeu[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=8f92d3d1-ed14-41ff-ba2d-6abeeae4c492<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/massen[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=b888df6c-4488-4146-8fd1-9292023576ad<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/altrotech[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=3a682a3f-ffb8-4fcb-9c24-05e714de9d9a<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/revilox[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=7258f2f8-0da3-4b38-8632-020b07a6d4e2<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/mitnick[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=2763d93a-3794-41bb-9a63-28c9c17e2610<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/lerelaisvoyages[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=7405f906-afeb-4d4c-a11f-d7cec04b2876<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/sogetis[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=1bc87723-0bd5-4f07-b44f-613252212666<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/stauffer[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=b16aeb72-bb7a-4f0e-812e-576bf15cba19<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/leferry[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=8d985c6f-1862-4b80-9b32-1a28880fb5c3<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/managerbank[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=44de3e71-9cb2-4a28-a5fd-7ac06d446284<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/groupe[.]bluetrait[.]io\/simple\/msp_download_agent?os=windows&amp;access_key=dd90f8fb-ff32-4041-8fc3-735e0820d58d<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"7\" valign=\"top\" width=\"123\">OptiTune<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/manage[.]opti-tune[.]com\/agent\/download[.]ashx?id=c6292c97-823b-4075-be7f-c703d7d4cec3<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/manage[.]opti-tune[.]com\/agent\/download[.]ashx?id=fc04f3f3-282d-4e00-a1b2-4592d5847f9d<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/manage[.]opti-tune[.]com\/agent\/download[.]ashx?id=441ff695-e33b-46d6-a069-91e06d6f12d8<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/manage[.]opti-tune[.]com\/agent\/download[.]ashx?id=2f821e8d-e075-4cba-ab36-af777d3a2e2e<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/manage[.]opti-tune[.]com\/agent\/download[.]ashx?id=35144ffd-cb78-45ed-84a1-154043cc954c<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/manage[.]opti-tune[.]com\/agent\/download[.]ashx?id=637efb75-56a0-47a2-a4f8-b394036c753d<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/manage[.]opti-tune[.]com\/agent\/download[.]ashx?id=9d5ad946-3334-479c-8d25-13573bb1f2f4<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" valign=\"top\" width=\"123\">Atera<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/helpdesksupport1747151491046[.]servicedesk[.]atera[.]com\/GetAgent\/Msi\/?customerId=1&amp;integratorLogin=alexandra[.]geyer@froid-chaud-service[.]com&amp;accountId=001Q300000TDQK9IAP<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/helpdesksupport1747151491046[.]servicedesk[.]atera[.]com\/GetAgent\/Windows\/?cid=1&amp;aid=001Q300000TDQK9IAP<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"8\" valign=\"top\" width=\"123\">Syncro<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzMyOTI3NTMtMTc3MjU3OTUxMi03MjgxNC00Mjc0NTk1<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzMyNjAzOTUtMTc3MTk2NDc2OS03Mjc1Mi00MjYxNzg3<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzM0MTY5ODItMTc3NTA2ODg2My03MzAwNS00MzIxODQ3<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzMzNTU3NTItMTc3Mzg3NjIyMi03Mjk1NS00MzA3MzY5<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzMyNzY0NTMtMTc3MjE1MTI1MS03Mjc4MC00MjY5Mjcy<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzM1NTAwOTYtMTc3NzUzOTk0MC03MzMyNC00MzgxMjU3<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzM1NDk5ODYtMTc3NzUzNDk5OC03MzMwMy00MzgxMjMw<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"479\">hxxps:\/\/rmm[.]syncromsp[.]com\/dl\/msi\/djEtMzM1NDI2NjktMTc3NzI3MDM0My03MzMwMy00MzU1MzA4<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"123\">SuperOps<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/eu-superops-wininstaller-prod[.]s3[.]eu-central-1[.]amazonaws[.]com\/agent\/4046068187223527424\/UQN7GX1C1UDC_19SYPURD17668_windows_x64[.]msi<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"123\">ScreenConnect<\/td>\n<td valign=\"top\" width=\"479\">hxxps:\/\/www[.]hpgas8[.]top\/Bin\/secure[.]ClientSetup[.]msi?e=Access&amp;y=Guest<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Observed PDF Delivery URLs via Zendesk<\/h3>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<td width=\"100\"><b>Link<\/b><\/td>\n<td valign=\"top\" width=\"150\"><b>PDF SHA256<\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\">hxxps:\/\/ttsonline[.]zendesk[.]com\/attachments\/token\/LkWkQiX9tZyPCn51DKqQv2gn6\/?name=RECORDATORIO+IMPORTANTE[.]pdf<\/td>\n<td valign=\"top\" width=\"150\">a8dc8dd2f71366010a74a0e31e21d86a29a418cfc8f7574ce290bb4009417da0<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\">hxxps:\/\/ttsonline[.]zendesk[.]com\/attachments\/token\/nBdmgrkjycttoqwSzIwj0MSvR\/?name=Comisiones+de+la+primera+cuota+se+requiere+actuar+en+caso+de+discrepancia[.]pdf<\/td>\n<td valign=\"top\" width=\"150\">4e392ea104f83c5d154c12f59200755cb8e3cdfaf058000ad24a1896cbb66fa4<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Observed Email and PDF Attachment Hashes<\/h3>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"301\"><b>Email SHA256<\/b><\/td>\n<td valign=\"top\" width=\"301\"><b>PDF SHA256<\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"301\">79228809577bf65c75d8e2190f40a7201a6ea3c06521017107206ac82d8c47d5<\/td>\n<td valign=\"top\" width=\"301\">9ca4fcd50376d5cdfe86c9274305720b68b9ebadf59acb97f402810f3fcd2fc3<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"301\">e0ef73289dd4981c3f6a0d8640ea74c6cdb7340129749b44f9dc935bc56fdc33<\/td>\n<td valign=\"top\" width=\"301\">b1dae73270361e3f4ff7b7441dbe55fc433d6035285f2617f2b267d31de8e9c6<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"301\">c025cd3ebd280c88d5e54ce98ff92f6085c064f971e0b01310513939113e95d0<\/td>\n<td valign=\"top\" width=\"301\">bb3c78a381e5288ed314a0f0a74333cf3e581f908c84d82d997da4ab37f95141<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"301\">3f480d98a3d7d793152be1393e74c8d7ebbce67c94a6ca968b292389422e7f12<\/td>\n<td valign=\"top\" width=\"301\">16b2a07c2b5a1eb7a2aeea007910d0d30819e1f80d40ee3fb304098c6be1e584<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"301\">021f995ee8c497810ec3eecda6f87ed30ecb42ba7f22d32856b1efa231ae274b<\/td>\n<td valign=\"top\" width=\"301\">745663e1832367c54e1cca6bc34e73ff28e45caa794dc8c104045d71ba8a63f8<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Observed PDF Hashes and Author Metadata<\/h3>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"113\"><b>Author<\/b><\/td>\n<td valign=\"top\" width=\"488\"><b>PDF SHA256<\/b><\/td>\n<\/tr>\n<tr>\n<td rowspan=\"27\" valign=\"top\" width=\"113\">Dennis Block<\/td>\n<td valign=\"top\" width=\"488\">8905f6c6f08c4530bc97ec51def19272d9df344b46ad2186265fb77d0db2003c<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">035f491059caf1402e6d3886ab405b61ab8a7b8d5937fb4c5a25484c1a6b6db4<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">3268341dc59e2486672e22c8645046098b6280ad89d4a872ef98e649e2c5cd07<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">f317ebdb581fc8accf00ede9c1eab756ecb966a02bca149a66ca080a9e62aaf5<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">ae4375eec439b0ee87f01fab2af55dcc5b663d7bc4ed6cd7da3c5c659e7a66fe<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">e9727ab064f38171090ad232533e8c8dd0cc4d56d57ec7bb05b5320b3ad25221<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">e09524690e24198c1cd5808954ec0e35e09febc9527ae1036be91db605f05faf<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">ddb96adab43c3c626494bca98b00c31e8d2d4be81139f438a1b6bb98cd21db65<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">0d8d1243844659f2b7eb7f0c7bec3057c05a0e3731f8330112b6d04dad718528<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">65878589cff87634b9f16abd0839c89020ac70499ffce8719c5a06ac40f3be1c<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">9395edd13d1d71f64b49503fb1c04836bcbb16b9bfe2b3744d4d53f49aa08385<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">b17cd37ad6d3adc89b84c7468730eda8702791531939f421880d605ef556ebf0<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">51159f622351a896439f605349301395c84cb68c245230ec76767e906d295391<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">6a9fa47a7f48274558cee2e0b901d2adaa1d97016899ed1b4c2f628760c35a0a<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">d19f13124449b4d89028e80579174a3d00cd10e0e28c3dd287b36ff50a5f3d0a<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">a6d75e175a3ceac0750eac4e2481dc260551218b61a3e19b9c8c1af4667a9913<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">1fd8c22a0bda1df277545700ac42183447ee3657f5106c9fccee623978a5b594<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">0771ddbaa101bbf4c051702026f56206bedf1b17e6dad7e68880edce2e63bbb8<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">a086433cd40c2c44fb76d29698333ffddac950e9dc9c7735cd9bf45194de496c<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">7f47f0b9d53927f05933d4881210023c876014f84515238a9e2abfb3b9bb28f3<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">e694758dc5495d71092ea50a8226400d38a18095e6936e063038c65374949016<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">c2325214fcd3ec4990a6caff5eb920f30296ad7ed2c9c753e5815f83fc447304<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">0d7b4a1d4558e0c6d29bc9a83f20db350f5afe6666942a372ec9a97003365a2d<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">1904d3ea755e13f64cb09f372cd9b107883f76ca73149d4f21f97022fdb28afe<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">c6a8637397a3570c0f153be98303e6b7492c3dac3b94976f6fb2408f46a1763d<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">87d3d71acd6aaf23626e63a95b0f33c0f3fe953456db39fbaa64c61fb9cedaff<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">9dd3d568196bc8f1e417f743422fc017f48554e4604dd670b3ff06d6bf80b957<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"9\" valign=\"top\" width=\"113\">Guillaume Vaugeois<\/td>\n<td valign=\"top\" width=\"488\">0875b075f3a9da3d345e0a2b922a134baa0cbf2eaf5754da2a75d2dab2341d13<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">6950bd0c815b0ff60404610274380621d38a3e3a22c2e72d7c64f6adeb06c187<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">81e3329a89f839952ff0ffbc9cd3e3c80796115184e9b5a0bccba99d806d8b61<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">871d457b03ec654bfb15e568cfb630198aca3b92be86b4e2684c2a09be983563<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">e9ba9b7e78607ca072e7cab9890c1742a7f2d82b8a6a6da2c56ac9732dfc9bd9<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">0c76e50d3cc947d17990c3afd44295c6299430942a4eccb1c87f8b3ea4d2def8<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">22e64e7ec0056a4bbeeab7acb3d46ef796c5256c9c934369ad29c35a1df050eb<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">1bcfbc79c000a18721dfbe1fa44906389146ba9e1c940f8ebe61c5ab5658e4bd<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">c8f077a306b2a960713c374ceb82210eb78975f62c0c5aa1dbb22e36faf949db<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"113\">Alina Georgiana Mihalcea<\/td>\n<td valign=\"top\" width=\"488\">129df778cde4bb19049d9f48bfaaabf7baec541072dd64c0024b55d63e793a9f<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"9\" valign=\"top\" width=\"113\"><\/td>\n<td valign=\"top\" width=\"488\">f0119123b86550df9ec2d7946030aab7d387aef37d006eb352498b374c0df941<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">1f146f8fe2e7eb5d0dd0a6b7b92259bae51c0fcb376e039743ec591ba8d01e22<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">dc129f059e6d58e1f38e0eed886a5fb165c069a8028a4c7debea1d8a028e0231<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">2048c6d87ad991d2975b07568bdd5ef52e210f27b7ac85506e37619096c4f0ff<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">0e63cc926ac72c4e65eba76f06cbfaabe95623701432c5fe67d1fe00663fba9d<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">a3e89e90ef69385aa3dfabfa76c7fdfad28063ed6032a4439dfef48694ed487e<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">eea65f23c944c5104ec7ee55e4939b51babeddcdbb52459fc2b065434e07e30d<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">e87c3fb7031ac89ce8f38b9542c55bf96097faea50d7887a731e466bc9b6f990<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">0c8c4b93170a8de7c857c5f4030c6a1e2394940bbd3d48f100014b3d0c64ed90<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" valign=\"top\" width=\"113\">WorldStream Customer<\/td>\n<td valign=\"top\" width=\"488\">3182309746d206db5eadb8743160bf802e012ea70dfa5ee39120e0494532098f<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">c9beb4996ad6ade7070e684c7d3f6f8e8d02de30af0bfaf85504ab06a36d7c76<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">7e10d37f2abb2bbdf1c4f7bf29277cf01a385301682068a82006563445f80a20<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">44baab4692375ad15363acdec3f57eb7cfea0e65456fff921624e6a531089aac<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" valign=\"top\" width=\"113\">ALEXANDERS PARAIN<\/td>\n<td valign=\"top\" width=\"488\">951ceed3102757d284e84804c4aa002a22502ab72fef10d2317be5192ae8a0ee<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"488\">52d3d7ae7c8f53249867714f24bafe68aeae665a5fa7cd4b426bb3e637d9cbf0<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"113\">DABA DABA<\/td>\n<td valign=\"top\" width=\"488\">d3211a41eb9bc727b6de76fe9262ffdf4f38f6c8ca8a6e10d3b82a6be5c07564<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"113\">COMPTA VDB<\/td>\n<td valign=\"top\" width=\"488\">9ca4fcd50376d5cdfe86c9274305720b68b9ebadf59acb97f402810f3fcd2fc3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/&#038;title=Email-Delivered%20RMM:%20Abusing%20PDFs%20for%20Silent%20Initial%20Access\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Email-Delivered RMM: Abusing PDFs for Silent Initial Access&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/darkgate-rises\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/reverse-engineering-a-lumma-infection\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/machine-learning-driven-malware-analysis\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging Remote Monitoring and Management (RMM) tools embedded within PDF documents.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[354,213,304],"labs_content_type":[305,327],"class_list":["post-10357","lab_item","type-lab_item","status-publish","hentry","category-email-security","category-ransomware","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Email Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Ransomware<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Email-Delivered RMM: Abusing PDFs for Silent Initial Access<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging Remote Monitoring and Management (RMM) tools embedded within PDF documents.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/email-delivered-rmm\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10357"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}