Skip to content
Malware family

MeshAgent

MeshAgent is an open-source remote access and remote monitoring/management (RMM) agent that is repeatedly described in the provided reporting as a dual-use tool abused by threat actors to obtain persistent remote control of compromised systems.

Profile source: Mallory opens in a new tab

MeshAgent

Family profile

MeshAgent is an open-source remote access and remote monitoring/management (RMM) agent that is repeatedly described in the provided reporting as a dual-use tool abused by threat actors to obtain persistent remote control of compromised systems. Across the cited incidents, it is used as a secondary payload or persistence mechanism after phishing, fake software-update lures, malicious LNK files, PowerShell downloaders, MSI/EXE installers, ClickFix-style delivery, and fake CAPTCHA-gated download pages. Reported installation methods include silent deployment, Tactical RMM-driven installation, and delivery from phishing sites or compromised infrastructure, including MeshCentral servers.

The content links MeshAgent to multiple threat clusters and campaigns, including Kimsuky-associated phishing activity reported by AhnLab, UNC5687 phishing campaigns, PhantomCore operations, Russian actor activity reported by CERT-UA/Microsoft, ShadowSyndicate-associated tooling, Thor, and broader state-sponsored targeting of the defense sector. It is also referenced in campaigns using EV-signed malware impersonating Microsoft Teams, Zoom, Adobe Reader, and Google Meet, where attackers installed ScreenConnect, Tactical RMM, and MeshAgent to maintain redundant access and support lateral movement.

Capabilities directly described in the content include persistent remote access and remote management of infected systems. In some campaigns, other malware downloaded MeshAgent configuration files, or dropped MeshAgent as part of a broader intrusion set that also performed credential theft, browser and mail account theft, cookie theft, keylogging, clipboard theft, host reconnaissance, and file collection. On Android, reporting states MeshAgent was used in attacks mimicking battlefield management platforms to enable remote management and support cookie theft. In ransomware and post-compromise contexts, MeshAgent appears alongside other dual-use administration tools such as ScreenConnect, SimpleHelp, Tactical RMM, Netscan, Netexec, and modified Rustdesk.

High-confidence indicators and infrastructure details in the content include phishing domains with fake CAPTCHAs used to deliver MeshAgent samples and corresponding MeshCentral servers in PhantomCore activity; a PowerShell downloader tied to UNC5687 that decrypted the URL hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi to fetch a MeshAgent payload; and reporting that UNC5687-associated MeshAgent communicated with C2 domains linked to a service called AnonVNC. The content consistently characterizes MeshAgent as legitimate software repurposed by attackers for persistence, privileged remote access, and follow-on intrusion activity in enterprise, government, financial, and defense-related environments.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 13, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
0 IP / 10 hostnames

Leading locations

  • US3
  • IN2
  • DE1
  • KR1
  • RU1
  • SG1
  • TH1

Leading providers

  • Amazon.com, Inc.2
  • DigitalOcean, LLC1
  • Hathway IP Over Cable Internet1
  • Hetzner Online GmbH1
  • Korea Telecom1
  • MHost LLC1

Infrastructure traits

  • Hosting 8

Samples

Recent associated samples

Reported operators

Threat actors

7 named in public reporting
Kimsuky

Post lazarusholic lazarusholic.bsky.social ... "โ€˜๋ณด์•ˆ ๋ฉ”์ผโ€™๋„ ์•ˆ์‹ฌ ๊ธˆ๋ฌผ! ์นด๋“œ์‚ฌ ์‚ฌ์นญ ์•…์„ฑ ํŒŒ์ผ ์œ ํฌ ์ค‘" published by Ahnlab. #Kimsuky, #LNK, #MeshAgent, #DPRK, #CTI

PhantomCore

PhantomCore registers phishing domains with fake CAPTCHAs used to deliver MeshAgent samples, and domains for the corresponding MeshCentral servers.

Lazarus

Remote Access: An instance of MeshAgent is silently installed, providing the attackers with persistent remote control over the infected system.

Storm-1175

"To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent."

UNC5687

"Threat Actor: UNC5687, known for using MESHAGENT in phishing campaigns... The campaign delivers MESHAGENT, an open-source remote access framework..."

Exploited software

Vulnerabilities linked to MeshAgent

3 CVEs

MITRE ATT&CK

MeshAgent in ATT&CK

32 distinct techniques

Reporting

Research mentioning MeshAgent

May 27
Lazarusholic Bluesky

Post by @lazarusholic.bsky.social - Bluesky

Post lazarusholic lazarusholic.bsky.social ... "โ€˜๋ณด์•ˆ ๋ฉ”์ผโ€™๋„ ์•ˆ์‹ฌ ๊ธˆ๋ฌผ! ์นด๋“œ์‚ฌ ์‚ฌ์นญ ์•…์„ฑ ํŒŒ์ผ ์œ ํฌ ์ค‘" published by Ahnlab. #Kimsuky, #LNK, #MeshAgent, #DPRK, #CTI

May 26
Ahnlab Asec

Don't trust 'secure mail'! malicious Files Impersonating Credit Card Companies Are Being Distributed - ASEC

it also explores Paths related to browser extensions and cryptocurrency wallets, downloads remote management tool (MeshAgent) configuration files, and performs keylogging and clipboard data collection.

Mar 12
The Hacker News

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More

Some of the deployed RMM tools include ScreenConnect, Tactical RMM, and MeshAgent.

Mar 5
Scworld

New phishing attacks exploit stolen digital certificates for malicious software | brief | SC Media

"Once executed, these files install remote monitoring and management (RMM) tools, like ScreenConnect and MeshAgent, which provide attackers with persistent, privileged access to corporate networks."

Mar 3
Microsoft Security

Signed malware impersonating workplace apps deploys RMM backdoors | Microsoft Security Blog

As part of this secondary installation, the Tactical RMM deployment subsequently installed MeshAgent, providing yet another remote access channel for persistence.

Feb 15
Rescana

Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

STALECOOKIE, TINYWHALE, and MeshAgent target Android devices... to steal cookies and enable remote management.

Feb 13
The Hacker News

Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

"...drops the MeshAgent remote management software."

Feb 5
The Hacker News

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

ShadowSyndicate continues to be associated with toolkits including ... MeshAgent ...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.