Threat actors are increasingly abandoning custom malware for simple, built in native binaries. This strategy is known as Living off the land (LotL). It turns tools that are used for legitimate administrative purposes against the machine making it hard to detect.

Recently when remediating an incident within an organization we observed the textbook example of this attack chain. The attack used a clever social engineering tactic known as ClickFix with legacy windows protocols to establish persistence, and deploy rogue RMM software on the environment.