MeshCentral
MeshCentral is a legitimate open-source remote monitoring and management (RMM) platform that has been repeatedly observed being repurposed by threat actors as a post-exploitation remote access implant and persistent backdoor. In the provided reporting, attackers deployed customized MeshCentral agents after initial compromise, including a sample disguised as a Microsoft Azure service named "meshagent64-azure-ops.exe" with command-and-control traffic routed to a domain mimicking Azure infrastructure, followed by internal reconnaissance, lateral movement, and zstd-compressed data exfiltration. MeshCentral was also observed installed for lateral movement and persistence under the mesh name "Access," including a MeshAgent connecting to rtb[.]mftadsrvr[.]com in exploitation of Gladinet CentreStack/Triofox CVE-2025-30406, and a sample named "meshagent32-Access.exe" configured to connect to wss://az.lsa.az:444/agent.ashx in infrastructure analyzed by Breakglass Intelligence. The content associates MeshCentral use with multiple intrusion sets and campaigns, including ShinyHunters/UNC6240 activity exploiting Oracle PeopleSoft CVE-2026-35273, Pioneer Kitten operations across Linux and cloud systems, opportunistic exploitation observed by GreyNoise, and post-compromise activity following React2Shell exploitation. High-confidence behaviors directly mentioned include remote machine management, persistent access, use as remote access tooling during lateral movement, and blending with legitimate enterprise deployments through generic naming and masquerading.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-35273 affects PeopleSoft PeopleTools Environment Management Hub (PSEMHUB) versions 8.61 and 8.62. It is remotely exploitable without authentication, can lead to remote code execution, and Mandiant traced active exploitation back to May 27, 2026, before Oracle's June 10 advisory. ShinyHunters/UNC6240 exploited it across roughly 300 vulnerable PeopleSoft instances at more than 100 organizations. | Post-exploitation tradecraft is worth flagging for your SOC readers: attackers deployed a customized MeshCentral remote management agent disguised as a Microsoft Azure service (meshagent64-azure-ops.exe), with command-and-control traffic routed to a domain mimicking Azure infrastructure, followed by internal reconnaissance, lateral movement scripts, and zstd-compressed exfiltration.
Threat actors have also been observed performing lateral movement and performing installation of remote access tooling, namely MeshCentral.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Post-exploitation tradecraft is worth flagging for your SOC readers: attackers deployed a customized MeshCentral remote management agent disguised as a Microsoft Azure service (meshagent64-azure-ops.exe), with command-and-control traffic routed to a domain mimicking Azure infrastructure, followed by internal reconnaissance, lateral movement scripts, and zstd-compressed exfiltration.
The group uses a combination of living-off-the-land tools (like ligolo, socat, proxychains) and post-exploitation frameworks (like Havoc, MeshCentral, and custom C2 binaries) across Linux and cloud systems.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
Discovery
7 techniques
Discovery
The command history showed attackers used the MeshCentral tool to run administrative queries on compromised endpoints and identify additional application servers within victim networks.
The command history showed attackers used the MeshCentral tool to run administrative queries on compromised endpoints and identify additional application servers within victim networks.
Leveraged the MeshCentral CLI utility meshctrl.js to execute administrative command queries on compromised remote endpoints: hostname; id.
Mapped Oracle PeopleSoft system configurations by inspecting the process scheduler configuration file ( psappsrv.cfg ) to extract machine names and IP addresses.
The command history showed attackers used the MeshCentral tool to run administrative queries on compromised endpoints and identify additional application servers within victim networks.
Lateral Movement
2 techniques
Lateral Movement
Command and Control
4 techniques
Command and Control
with command-and-control traffic routed to a domain mimicking Azure infrastructure
Mandiant then triaged five sequential IP addresses running Python's SimpleHTTP server on port 8888... The agents called home to a command-and-control server at azurenetfiles.net...
On another affected host, we observed the threat actor upload and stage the MeshCentral agent... READ: command:openFile ... upload_path:/Windows/Temp/mesch.exe ... Another DLL was pulled onto the host... filePath:/Windows/Temp/d3d11.dll ... the threat actor attempted to run two SimpleHelp executables from C:\Windows\.
IOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A customized MeshCentral remote management agent was deployed post-exploitation to provide remote access while masquerading as a Microsoft Azure service, helping attackers blend command-and-control traffic with legitimate-looking cloud activity.
A legitimate remote monitoring and management tool abused as a persistent backdoor, providing remote desktop, file transfer, terminal access, and a JavaScript engine.
MeshCentral is an open-source remote management tool abused by attackers as a C2 agent for long-term control of infected systems.
MeshCentral is an open-source remote management tool that can be abused by attackers as a C2 agent for long-term control of compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.