Malspam Attacks Weaponize Tiflux RMMs

Overview

Security analysts have recently uncovered a sophisticated malspam campaign that leverages the Brazilian remote‑management tool Tiflux to establish stealthy persistence on victim machines. The threat actors combine Tiflux with legacy and commercial remote‑access products—UltraVNC, Splashtop, and ScreenConnect—to create a multi‑layered foothold that allows them to capture screenshots, collect system profiles, and exfiltrate data without raising suspicion.

Attack Chain

The campaign begins with phishing emails that contain a fake “service agreement” document. The victim is directed to a Cloudflare‑protected landing page that mimics a legitimate business portal. After solving a CAPTCHA, the user is presented with a download prompt for an MSI installer titled Network Solutions Agreement.msi. The installer is signed by Tiflux Sistema de Gestão LTDA and is distributed from domains controlled by the threat actors, such as hxxps://lenwillfilenetwork[.]com/downloads/Network%20Solutions%20Agreement.msi.

Once executed, the MSI unpacks a suite of components:

  • Tiflux Agent (TiAgent) – the orchestrator that communicates with a remote support server.
  • UltraVNC 1.2.0.1 – an outdated remote‑viewing tool with expired certificates.
  • 7zip & tar – compression utilities bundled for silent installation.
  • Splashtop & ScreenConnect – commercial RMMs that provide remote desktop, command execution, and data exfiltration capabilities.
  • HwRwDrv.sys – a kernel driver previously abused for privilege escalation, signed with a revoked certificate.

After deployment, the Tiflux agent pushes the additional RMMs to the target. Splashtop and ScreenConnect start automatically and connect to their respective management servers, which are hosted on IP 84[.]54[.]33[.]192 under the domain hxxp://84[.]54[.]33[.]192:8040/Bin/ScreenConnect.ClientSetup.msi. The agents then begin transmitting screenshots, system inventory data, and command logs back to the operators.

Suspicious Installer Findings

Several components raise red flags:

  • Expired VNC certificates – UltraVNC’s certificate expired in March 2014, yet the installer still references it.
  • Hard‑coded passwords – the VNC ini files contain hexadecimal‑encoded credentials that are trivial to decode.
  • Obsolete driver – HwRwDrv.sys was last updated in 2015 and is known to allow privilege escalation on Windows 10.
  • Registry modifications – the installer includes .reg files that add a TightVNC service configured to run in Safe Mode and place it in a non‑standard directory C:\PeopleOne\dependencies\tightvnc\tvnserver.exe -service.
  • SSH key injection – a .reg file injects a PuTTY host key that allows passwordless SSH to hxxps://remote1a[.]peopleone[.]com[.]br.

These artifacts point to a deliberate attempt to maintain persistence, evade detection, and expand lateral movement.

Defensive Recommendations

Security teams should implement the following controls:

  • Asset Inventory & Whitelisting – Maintain a current list of all installed applications and enforce application control policies that block unauthorized RMMs.
  • Log Correlation & Anomaly Detection – Enable logging for RMM activity and review for signs of unusual credential usage, screen‑capture, or background service creation.
  • Patch & Update Management – Ensure that all commercial RMMs and any bundled components (e.g., VNC, drivers) are kept up to date and signed by valid certificates.
  • Endpoint Detection & Response (EDR) – Monitor for MSI execution, driver installation, and unexpected registry changes.
  • User Awareness – Train staff to recognize phishing emails that reference legitimate business documents and verify the source before downloading.

Indicators of Compromise

Forensic investigators can use the following IOCs:

Conclusion

The Tiflux malspam campaign showcases the growing threat of legitimate RMMs being weaponised. By chaining multiple remote‑access tools and embedding vulnerable drivers, threat actors achieve persistent, stealthy footholds that are difficult to detect with conventional security controls. Security analysts must adopt a layered approach—combining application whitelisting, continuous monitoring, and user education—to stay ahead of these evolving tactics.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading