Cybercriminals Exploit Fake Notepad++ and 7-Zip Sites To Distribute Remote Monitoring Malware

Cybercriminals Exploit Fake Notepad++ and 7-Zip Sites To Distribute Remote Monitoring Malware

[ January 27, 2026 ]

Cybercriminals are tricking users with fake websites mimicking popular tools like Notepad++ and 7-Zip. These sites push Remote Monitoring and Management (RMM) tools laced with malware.

According to AhnLab’s Security Intelligence Center (ASEC), attackers now use RMM software right from the first infection stage, not just after breaching systems.

This shift makes early detection harder. RMM tools let attackers remotely control infected machines, bypassing basic antivirus scans.

Why Attackers Love RMM Tools

RMM software helps IT teams manage devices remotely for tasks like patching and monitoring. But hackers abuse it as a backdoor, similar to Remote Access Trojans (RATs).

Tools evade detection because they look legitimate. Traditional antivirus struggles with them, as they mimic normal admin actions.

AhnLab EDR (Endpoint Detection and Response) spots these threats through behavior analysis. It’s the only Korean solution with a behavior-based engine.

It collects data on suspicious actions, alerts admins, and helps trace root causes. This enables quick response and prevents repeats.

Fake Downloads: Notepad++ and 7-Zip Traps

ASEC found ads leading to phony download pages. Sites fake Notepad++, 7-Zip, Telegram, ChatGPT, and OpenAI pages.

Victims think they’re grabbing free utilities but download LogMeIn Resolve instead a real RMM tool for remote support and patching.

Once installed, LogMeIn registers the machine with attacker servers. Hackers then run PowerShell commands to drop PatoRAT, a stealthy backdoor. 

Similar tricks use PDQ Connect, another RMM for software deployment and inventory. Both lead to PatoRAT installs.

AhnLab EDR flags LogMeIn and PDQ Connect executions as threats, showing logs for admins to review.

Phishing Emails Hide More RMM Threats

Attackers also send phishing PDFs named “Invoice,” “Product Order,” or “Payment.” Previews fail due to “high quality,” pushing clicks to Google Drive links.

These drop Syncro, an RMM used by Chaos and Royal ransomware gangs, plus Iran’s MuddyWater APT group.

Same-signed malware spreads ScreenConnect (abused by ALPHV/BlackCat and Hive ransomware), NinjaOne (cloud IT management), and SuperOps (MSP remote access). All signed with one certificate since October 2025.

Stay Safe: Key Defenses

Users must download from official sites only. Check file versions and certificates before installing. Avoid shady emails verify senders and skip links or attachments. Keep OS and security tools updated.

Organizations should deploy EDR like AhnLab’s for behavior monitoring. Block unknown RMM installs via policies. Train staff on phishing red flags.

This wave shows RMM abuse surging. Early detection saves systems from full takeovers.

Source : https://cyberpress.org/fake-sites-distribute-spyware/