Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

Remote Manipulator System

Remote Manipulator System (RMS) is legitimate Russian remote desktop and remote monitoring/management software that provides remote control, desktop sharing, and file transfer capabilities. In the provided reporting it is described as being abused as a payload in multi-stage intrusion chains and phishing campaigns rather than as bespoke malware. Proofpoint noted actors delivering off-the-shelf payloads such as RMS RAT, and separately reported that UAC-0050 had historically used RMM tools including LiteManager and Remote Manipulator System (RMS). BlueVoyant described a Russia-aligned UAC-0050 / DaVinci Group social-engineering campaign against an unnamed European financial institution involved in regional development and reconstruction initiatives: a legal-themed phishing email spoofing a Ukrainian judicial domain led the victim to a PixelDrain-hosted ZIP, then a RAR archive, then a password-protected 7-Zip archive containing a double-extension executable (*.pdf.exe), which deployed an MSI installer for RMS. The targeted individual was a senior legal and policy advisor involved in procurement, and the likely objective was intelligence collection and/or financial theft. CERT-UA also reported UAC-0050 use of REMCOS / TEKTONITRMS during September-October 2024 to maintain unauthorized access to accountants’ computers in Ukraine and conduct at least 30 attempted fraudulent remote-banking transactions against Ukrainian companies and individual entrepreneurs. Reported host artifacts associated with RMS/TEKTONITRMS activity included %APPDATA%\RMS Agent...\rutserv.exe and related settings/log files, as well as HKCU\SOFTWARE\TektonIT registry keys. High-confidence associations in the content link RMS abuse primarily to UAC-0050, a group described by CERT-UA as a mercenary cluster associated with Russian law enforcement agencies and involved in data gathering, financial theft, and information/psychological operations, with historical targeting centered on Ukrainian entities and possible expansion to Western European institutions supporting Ukraine.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

These attachments relied on a multi-stage execution chain, often using up to three nested stages, to download and execute off-the-shelf payloads like Remote Manipulator System (RMS) RAT.

via sekoia blogblog.sekoia.io
UAC-0050

This was the first time Proofpoint observed UAC-0050 deliver NetSupport, as it has historically used other malware including Remcos and Lumma Stealer, but it has previously used RMMs including Litemanager and Remote Manipulator System (RMS).

via proofpoint threat insight blogproofpoint.com
Mercenary Akula

"The execution results in the deployment of an MSI installer for Remote Manipulator System (RMS), a Russian remote desktop software that allows remote control, desktop sharing, and file transfers."

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Command and Control

1 technique
T1219Remote Access ToolsEvidence1
TacticCommand and Control

Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer. Some of the common enterprise tools and techniques for persistence that Microsoft has observed being used include: AnyDesk, Atera Remote Management, ngrok.io, Remote Manipulator System, Splashtop, TeamViewer.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
sekoia blogNews
Jun 1, 2026
FSB’s matryoshka #1/3: Inside Gamaredon Cyber Operations

Off-the-shelf remote access trojan used in early Gamaredon campaigns delivered through spearphishing attachments.

Read more
the hacker newsNews
Feb 24, 2026
UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware

Legitimate remote administration/remote desktop software deployed by the actor to provide persistent remote control (desktop sharing, file transfer) and evade some traditional AV controls by blending in as a legitimate tool.

Read more
proofpoint threat insight blogNews
Mar 5, 2025
Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US

A remote management tool previously used by UAC-0050 for remote access operations.

Read more
cert uaNews
Mar 18, 2026
CERT-UA

Commercial remote administration tool (RMS) abused for unauthorized remote control/persistence on victim endpoints (artifacts shown under %APPDATA%\RMS Agent\…), supporting fraudulent payment creation/modification in remote banking.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.