Ransomware operators have increasingly turned to legitimate Remote Access Tools (RATs) like AnyDesk, UltraViewer, RustDesk, and Splashtop to establish stealthy footholds and evade detection.
By abusing free or enterprise editions of these tools, attackers bypass traditional security controls, leveraging trusted digital signatures, encrypted channels, and built-in unattended-access features to maintain persistence, move laterally, neutralize defenses, and ultimately deliver crippling payloads.
Hijacking and Silent Installation for Stealthy Persistence
Following initial access through brute-forcing RDP or credential reuse, operators probe endpoints for preinstalled RAT services.
In “hijacking” scenarios, they enumerate WMI or registry entries, then inject attacker credentials or modify access policies, avoiding new executables that would trigger alerts. Alternatively, they deploy signed installers in silent mode.
Common silent-install flags include /S, /VERYSILENT, /quiet, /NORESTART for UltraViewer and TightVNC, and –install –silent –start-with-win for AnyDesk.
For RustDesk, attackers often run rustdesk.exe –service install –password “Str0ngPass123” to enable unattended access. These techniques create minimal disk artifacts and blend into regular administrative traffic.
Defense Evasion and Lateral Movement Tactics
Once RAT services are active, adversaries escalate privileges using tools like PowerRun or by exploiting TrustedInstaller, enabling RAT processes to run as SYSTEM.
They then manipulate Windows security policies to exclude RAT directories from antivirus scans and actively terminate AV services via sc stop <service>. To cover their tracks, they clear event logs with commands such as wevtutil cl Security, shred forensic artifacts, and disable shadow copy backups.
Interactive desktop control facilitates the deployment of Living-off-the-Land binaries (LOLBins), such as PowerShell and rundll32, further masking malicious operations.
With lofty privileges and stealthy RAT sessions, attackers perform lateral movement by reusing harvested credentials or remotely deploying RAT binaries across the network.
Enterprise-wide deployments of tools like Splashtop and CloneDesk are repurposed to propagate installs via group policy or existing software update mechanisms, accelerating spread without raising suspicion.
Indicators include unusual RDP logon type 10 events at odd hours, logins from foreign geolocations, or multiple endpoints suddenly initiating RAT sessions.
Impact and Mitigation Strategies
In the final phase, ransomware payloads, often variants such as LockBit, Black Basta, or Makop, are transferred and executed through active RAT channels, encrypting critical files and locking out administrators by rotating RAT credentials. Some campaigns even abuse RAT file-transfer functions to exfiltrate data before encryption.
Defenders can disrupt these advanced chains by enforcing multi-factor authentication for all remote access services and restricting RAT installations through application allow-listing.
Continuous monitoring of registry run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), hidden scheduled tasks, and anomalous silent-install commands is essential.
Endpoint detection platforms should flag the launch of unsigned or atypical RAT processes and LOLBin usage outside standard maintenance windows.
Disabling or removing unused RAT software, coupled with rigorous patch management, reduces the attack surface. Finally, network segmentation limits lateral spread, while frequent backups and tested recovery workflows mitigate the impact of eventual encryption.
By understanding the nuanced ways legitimate Remote Access Tools are subverted, security teams can design layered defenses that convert trusted utilities from hidden liabilities into monitored assets frustrating ransomware gangs before they encrypt data or exfiltrate valuable information.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 like AnyDesk, UltraViewer.){kind=link}