Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection
Cybersecurity NewsArchived Jun 18, 2026✓ Full text saved
Hackers have found a new way to get AI tools to do their dirty work without paying for it. Instead of using their own resources, attackers are hijacking exposed AI model servers and plugging them into automated hacking pipelines. The result is a self-directed attack tool that can scan targets, find weaknesses, write exploits, and […] The post Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
Discover more
Security vulnerability scanner
Operating Systems
Threat intelligence platform
HomeCyber Security News
Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection
By Tushar Subhra Dutta
June 18, 2026
Hackers have found a new way to get AI tools to do their dirty work without paying for it. Instead of using their own resources, attackers are hijacking exposed AI model servers and plugging them into automated hacking pipelines.
The result is a self-directed attack tool that can scan targets, find weaknesses, write exploits, and attempt a break-in entirely on its own.
This threat builds on a pattern first identified in 2024, when attackers began stealing cloud credentials to abuse paid AI services, a method researchers called LLMjacking.
Worst-case financial damage was estimated at up to $46,000 per day in stolen compute charges. By 2025, the criminal ecosystem had grown into a black market with reverse-proxy networks brokering billions of stolen tokens worldwide.
Researchers at Sysdig said in a report shared with Cyber Security News (CSN) that on June 12, 2026, their Threat Research Team caught an attacker using a misconfigured Ollama model server as the brain for a multi-stage offensive tool.
Unlike earlier LLMjacking cases, the actor was not reselling access or chatting with the model. They had wired it into a software pipeline designed to automate the entire hacking process from start to finish.
The scale of the exposure problem is alarming. Researchers have catalogued roughly 175,000 publicly accessible Ollama instances across more than 130 countries.
Ollama listens on port 11434 with no authentication by default, so any internet-facing server becomes free AI compute for whoever finds it.
Since the attacker’s tool sent full instructions to the model with every request, Sysdig’s team captured the complete inner workings of the framework.
This gave researchers a rare early look at how threat actors are merging stolen AI infrastructure with autonomous hacking in one operation.
Two trends previously developing separately, compute theft and AI-powered offensive tooling, have converged in one captured attack.
Hackers Abuse Legitimate RMM Tools
The attacker’s tool, which researchers call VAPT based on embedded code markers, drives the AI model through a tightly defined sequence of steps.
Each step has one specific job, and the model must return structured output the surrounding software can consume automatically. This keeps the pipeline fast and reliable without human involvement at each stage.
The stages observed included identifying services on a target, matching those to known vulnerabilities, building proof-of-concept exploits, crafting blind SQL injection payloads to bypass input filters, and pulling credentials from looted files.
A privilege escalation stage also pushes deeper into a system once initial access is gained. Credential extraction alone was run well over a hundred times across the campaign.
What makes this framework especially capable is its autonomous orchestrator, a controller that drives the entire chain until it achieves command execution on the target.
To confirm a successful compromise, the tool runs a specific command and looks for unique code markers bracketing the output. Once those appear, the confirmed exploit is frozen into a reusable template for replaying with any follow-up command.
Across the campaign, the tool requested at least seven AI models, including commercial names like GPT-4o-mini, Claude-3-5-Sonnet, and Gemini-2.0-Flash-Exp alongside open-source local builds.
Their presence shows the tool was originally built for paid APIs and simply redirected at the stolen Ollama server as a free substitute.
Targets, Development, and Defense
Every target during the capture was on a private, non-routable network. The actor tested against fictitious apps named “MediaVault Asset Portal” and “Reverb Studio,” and later against a range linked to HackTheBox lab environments.
No real public hosts were targeted, suggesting the tool is still being refined before deployment against actual victims.
Security teams should never expose Ollama or similar model servers to the public internet, and authentication must be added at the proxy or network layer since none is built in.
Teams should monitor inference endpoints for unusual request volumes and audit internet-facing assets for open model servers.
Any exposed AI inference endpoint should be treated with the same urgency as an exposed database or admin panel.
Indicators of Compromise (IoCs):-
Type Indicator Description
Source IP 122.183.48.82 Threat actor IP, Hyderabad, India — June 12 session
Source IP 122.183.48.35 Threat actor IP, Hyderabad, India — June 14 session
Source IP 122.183.48.195 Threat actor IP, Hyderabad, India — June 14 session (same /24)
Source IP 47.15.69.15 Threat actor IP, India — June 14 session, second residential ISP
String Marker VAPTb3gin Compromise-confirmation sentinel emitted by the VAPT framework (begin marker)
String Marker VAPTfin Compromise-confirmation sentinel emitted by the VAPT framework (end marker)
String Marker __VAPTCMD__ Placeholder left in a confirmed RCE recipe so commands can be swapped and replayed
Command echo VAPTb3gin; id; echo VAPTfin Exact remote code execution confirmation probe used by the framework
String MediaVault Asset Portal Fictitious target application name found in the framework’s payloads
String Reverb Studio Fictitious target application name found in the framework’s payloads
Network Range 172.30.0.0/24 Actor’s private benchmark target range present in attack payloads
Network Range 10.129.0.0/16 Additional private target range in June 14 payloads, consistent with HackTheBox lab VPN
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Using Real-Time Network Monitoring to Spot Suspicious Application Behavior on macOS
Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More
Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click
Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices
Multiple JetBrains IDE Plugins 70,000+ Installs Caught Stealing AI keys
Latest News
Cisco
Critical Cisco ISE Vulnerability Allows Attacker to Execute Malicious Code Remotely
Technology
Modern Data Protection Standards: How Organizations Are Strengthening Cybersecurity in 2026
Cyber Security News
F5 Patches NGINX Vulnerability That Enables Code Execution and DoS Attacks
Cyber Security News
Hackers Abuse PowerShell Commands to Deliver SmartRAT Through Brazilian Bank Phishing Page
Cyber Security News
Evilginx AiTM Attack Captures Microsoft Credentials, MFA Tokens, and Authenticated Sessions