Last seven days
- First activity
- Jul 13, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 0 IP / 10 hostnames
MeshAgent is an open-source remote access and remote monitoring/management (RMM) agent that is repeatedly described in the provided reporting as a dual-use tool abused by threat actors to obtain persistent remote control of compromised systems.
Profile source: Mallory opens in a new tabMeshAgent
MeshAgent is an open-source remote access and remote monitoring/management (RMM) agent that is repeatedly described in the provided reporting as a dual-use tool abused by threat actors to obtain persistent remote control of compromised systems. Across the cited incidents, it is used as a secondary payload or persistence mechanism after phishing, fake software-update lures, malicious LNK files, PowerShell downloaders, MSI/EXE installers, ClickFix-style delivery, and fake CAPTCHA-gated download pages. Reported installation methods include silent deployment, Tactical RMM-driven installation, and delivery from phishing sites or compromised infrastructure, including MeshCentral servers.
The content links MeshAgent to multiple threat clusters and campaigns, including Kimsuky-associated phishing activity reported by AhnLab, UNC5687 phishing campaigns, PhantomCore operations, Russian actor activity reported by CERT-UA/Microsoft, ShadowSyndicate-associated tooling, Thor, and broader state-sponsored targeting of the defense sector. It is also referenced in campaigns using EV-signed malware impersonating Microsoft Teams, Zoom, Adobe Reader, and Google Meet, where attackers installed ScreenConnect, Tactical RMM, and MeshAgent to maintain redundant access and support lateral movement.
Capabilities directly described in the content include persistent remote access and remote management of infected systems. In some campaigns, other malware downloaded MeshAgent configuration files, or dropped MeshAgent as part of a broader intrusion set that also performed credential theft, browser and mail account theft, cookie theft, keylogging, clipboard theft, host reconnaissance, and file collection. On Android, reporting states MeshAgent was used in attacks mimicking battlefield management platforms to enable remote management and support cookie theft. In ransomware and post-compromise contexts, MeshAgent appears alongside other dual-use administration tools such as ScreenConnect, SimpleHelp, Tactical RMM, Netscan, Netexec, and modified Rustdesk.
High-confidence indicators and infrastructure details in the content include phishing domains with fake CAPTCHAs used to deliver MeshAgent samples and corresponding MeshCentral servers in PhantomCore activity; a PowerShell downloader tied to UNC5687 that decrypted the URL hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi to fetch a MeshAgent payload; and reporting that UNC5687-associated MeshAgent communicated with C2 domains linked to a service called AnonVNC. The content consistently characterizes MeshAgent as legitimate software repurposed by attackers for persistence, privileged remote access, and follow-on intrusion activity in enterprise, government, financial, and defense-related environments.
C2 tracking
Derp observations, rolling seven-day window
Samples
1195342c8f939309eeac5c235453bf629a68f5fe3be9bbdd3541eece085806c5 71144f6842b3b6f9c85b053c9d88027c3db9dbd8078edd1f07dc8d84e673f665 bdc020e1a5515a58520ffca362c998bcc749e6cfcf476e4a407e816c77a1fe4f eb8b355e4d44b6bcd3315a18ef532bec177ca3bb2a8d4e6d56e9cad8e22d0144 b336b0d1e4fe760e5f35665ee81830739962d6a51ba778f2eeeb0dfcb03c6a34 1d3ce2058d04b728ef034a02cfb79057a43f5cb29e7fea03c1609fe4eba2cf50 2813d0e3fbd66fb4e9b28287f60cf401f2eb68b08975811261f353687b8c2efc 9d9dd44c508af2fe864a8264ba5833d7c47fd21fe1b4c72ff6e05f7da94c288f 49c7d78b59601234b86458f169b47d8be9fdc08a450763a0bce9c6342cd1d21e 1d942fb85a6732b53e9d389573d08908163e9b529a39e42ad9fee989ab13866a Reported operators
Post lazarusholic lazarusholic.bsky.social ... "โ๋ณด์ ๋ฉ์ผโ๋ ์์ฌ ๊ธ๋ฌผ! ์นด๋์ฌ ์ฌ์นญ ์ ์ฑ ํ์ผ ์ ํฌ ์ค" published by Ahnlab. #Kimsuky, #LNK, #MeshAgent, #DPRK, #CTI
PhantomCore registers phishing domains with fake CAPTCHAs used to deliver MeshAgent samples, and domains for the corresponding MeshCentral servers.
Remote Access: An instance of MeshAgent is silently installed, providing the attackers with persistent remote control over the infected system.
"To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent."
ShadowSyndicate continues to be associated with toolkits including ... MeshAgent ...
"...drops the MeshAgent remote management software."
"Threat Actor: UNC5687, known for using MESHAGENT in phishing campaigns... The campaign delivers MESHAGENT, an open-source remote access framework..."
Exploited software
MITRE ATT&CK
Reporting
Post lazarusholic lazarusholic.bsky.social ... "โ๋ณด์ ๋ฉ์ผโ๋ ์์ฌ ๊ธ๋ฌผ! ์นด๋์ฌ ์ฌ์นญ ์ ์ฑ ํ์ผ ์ ํฌ ์ค" published by Ahnlab. #Kimsuky, #LNK, #MeshAgent, #DPRK, #CTI
it also explores Paths related to browser extensions and cryptocurrency wallets, downloads remote management tool (MeshAgent) configuration files, and performs keylogging and clipboard data collection.
Some of the deployed RMM tools include ScreenConnect, Tactical RMM, and MeshAgent.
"Once executed, these files install remote monitoring and management (RMM) tools, like ScreenConnect and MeshAgent, which provide attackers with persistent, privileged access to corporate networks."
As part of this secondary installation, the Tactical RMM deployment subsequently installed MeshAgent, providing yet another remote access channel for persistence.
STALECOOKIE, TINYWHALE, and MeshAgent target Android devices... to steal cookies and enable remote management.
"...drops the MeshAgent remote management software."
ShadowSyndicate continues to be associated with toolkits including ... MeshAgent ...
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.