Executive Summary
The Fortra Intelligence and Research Experts (FIRE) team is tracking an active phishing campaign distributing a Remote Access Trojan (RAT) that abuses Datto’s remote monitoring and management (RMM) platform, CentraStage, a legitimate enterprise IT management platform, as its command-and-control channel. The malware is delivered via social engineering emails using convincing lures such as fake Adobe installers, medical documents, and corporate invoices. No software vulnerabilities are exploited as the attack depends entirely on the victim manually executing the file.
Once installed, the attacker gains full interactive control of the compromised system, including screen viewing, keyboard and mouse control, file transfer, and command execution. This is all tunneled over HTTPS port 443, making the traffic indistinguishable from legitimate IT management activity.
Samples are recompiled on a weekly cadence to evade signature-based detection, indicating an active and maintained campaign.
Why it matters: The primary risk in this campaign isn’t the malware’s technical complexity, it’s the intentional misuse of trusted enterprise infrastructure to hide malicious activity from standard security controls. The malware itself is a simple NSIS installer using common anti-analysis measures. What sets this operation apart is the strategic choice to run C2 through Datto RMM, a move that demands preparation, resources, and active management of a legitimate account.
It’s unlikely that standard network monitoring and endpoint security solutions will flag Datto RMM traffic as malicious. Datto RMM is the latest in a line of legitimate remote management software being abused to support malicious activity and evade detection.
Business impact: Full persistent remote access to any affected endpoint, with the ability to exfiltrate data, move laterally, or stage further attacks such as ransomware. Compromised organizations could experience significant disruption, data loss, and long-term customer distrust.
Top actions:
Block or alert on outbound traffic to 03cc.centrastage.net in environments that do not use Datto RMM.
Hunt for CagService running on endpoints not in the approved IT tooling inventory.
Report AccountUid zin738c0001 to Datto/Kaseya for platform abuse investigation.
Review HKLM\Software\Microsoft\Windows\CurrentVersion\Run for unauthorized entries.
Introduction
This intelligence was developed after identifying multiple malicious email samples received across different lure themes within a single week. During analysis of one sample, the downloaded URL served what appeared to be an anomalous binary. Several hours later, the same URL began serving legitimate Datto RMM components, suggesting either a staging error or a timed delivery sequence on the attacker's infrastructure.
This accidental exposure of the true payload was the key event that enabled identification of the campaign and attribution of the C2 mechanism. The investigation was conducted through static binary analysis using Cutter/Radare2 and manual inspection of extracted configuration files, without execution in a live environment.
The report is being issued now because the campaign is actively distributing new samples with updated hashes, and its C2 infrastructure appears to remain operational.
Threat Landscape
Remote Access Trojans delivered via phishing remain one of the most prevalent initial access methods observed across sectors. The distinguishing characteristic of this campaign is its use of a legitimate commercial RMM tool as the C2 mechanism, a technique increasingly used by threat actors to blend malicious traffic into normal enterprise activity.
Broadly categorized under MITRE ATT&CK T1219 (Remote Access Software), this approach has been observed in other campaigns leveraging tools such as Oh. The shift toward abusing trusted enterprise software reflects a broader maturation in attacker tradecraft, where evading behavioral and network detection is prioritized over payload sophistication.
The social engineering lures observed in this campaign (medical records, invoices, software installers) are diverse and contextually plausible, suggesting the actor tailors delivery to specific targets rather than conducting broad spray campaigns. The weekly recompilation of samples to maintain different hashes is consistent with a threat actor actively monitoring detection rates on platforms such as VirusTotal.
The requirement for an enterprise Datto RMM license to operate this infrastructure narrows the actor pool and represents a meaningful resource investment, pointing toward a financially-motivated threat group.
Threat Specifics
Origin and intent: The actor's primary objective is persistent remote access to victim endpoints. The infrastructure investment — enterprise RMM license, active recompilation, tailored lures — suggests financial motivation, with ransomware staging or data exfiltration as likely follow-on objectives to make a gain on investments. With the tailored targeting and access to sensitive information it is also possible this campaign is intended for espionage purposes, although we have not identified any specific links to state-sponsored espionage groups.
Delivery mechanism: Phishing emails with executable attachments disguised as expected file types. Confirmed lures include Adobe Reader Installer, Opera Browser Setup, Provisio Medical documents, payment slips, and corporate invoices.
Execution flow:
The victim manually executes the installer. The binary is a NSIS (Nullsoft Scriptable Install System) wrapper, which presents a convincing fake installer dialog to the user while the malicious activity proceeds silently in the background. The installer drops Datto RMM components to C:\ProgramData\CentraStage, configures CagService with the attacker's account credentials, modifies registry Run keys for boot persistence, adjusts firewall rules, and calls SetFileSecurity on its own files to block removal.
Communication is established to 03cc.centrastage.net over HTTPS port 443 using a Datto RMM account registered under AccountUid zin738c0001. The connection automatically re-establishes after rebooting via the CagService Windows service.
Anti-analysis techniques:
The binary employs several techniques to resist static analysis. All sensitive Windows APIs (privilege escalation, file operations, registry manipulation) are resolved at runtime via GetProcAddress using a pointer table at 0x40a060, so they do not appear in the standard import table. The payload is embedded in compressed form using a custom Huffman decompression routine, which is why static analysis tools see only 78 functions rather than the full codebase. API calls are made via indirect jumps (call eax) rather than direct calls, preventing cross-reference resolution. A locale check against the system's regional settings is performed at startup, likely for geo-targeting or sandbox evasion. A hidden window (WS_EX_TOOLWINDOW) is created for background operations while a fake installer UI is shown to the victim.
Observed TTPs (MITRE ATT&CK):
T1566.001 — Phishing: Spearphishing Attachment T1204.002 — User Execution: Malicious File T1547.001 — Boot or Logon Autostart: Registry Run Keys T1543.003 — Create or Modify System Process: Windows Service T1134 — Access Token Manipulation (SeShutdownPrivilege — capability present, not confirmed active) T1036.005 — Masquerading: Match Legitimate Name or Location T1027.002 — Obfuscated Files: Software Packing (NSIS) T1027.007 — Dynamic API Resolution via GetProcAddress T1562.004 — Impair Defenses: Modify Firewall Rules T1222.001 — File and Directory Permissions Modification (SetFileSecurity) T1082 — System Information Discovery (locale check) T1219 — Remote Access Software (Datto RMM) T1105 — Ingress Tool Transfer
C2 configuration extracted from sample:
Server: 03cc.centrastage.net Port: 443 (HTTPS) AccountUid: zin738c0001 Device GUID: 494d7e7c-f5e6-41a0-903c-b494fb0b8196 VNC: Enabled (password: "password") RDP: Enabled Reconnect: Automatic
Impact Assessment
Operational impact: An attacker with an active connection via Datto RMM has full interactive control of the endpoint. This includes real-time screen viewing, keyboard and mouse input, file system access, and remote command execution. The attacker can use this access to move laterally within the network, exfiltrate sensitive data, deploy additional payloads, or establish secondary persistence mechanisms.
Financial exposure: Potential exposure depends on what data and systems are accessible from the compromised endpoint. Given the persistent nature of the access and the attacker's apparent patience in maintaining infrastructure, the risk of ransomware staging or credential theft leading to broader network compromise is elevated.
Detection difficulty: The traffic generated by Datto RMM is HTTPS on port 443, routed through Datto's legitimate infrastructure. Without specific IOC-based blocking (the C2 subdomain) or an inventory-based control (alerting on Datto RMM where it is not approved), this activity is likely to go undetected by standard network monitoring and endpoint security solutions.
Reputational risk: If a compromised endpoint has access to customer data, financial records, or internal communications, the reputational and regulatory exposure from a breach could be significant.
Mitigation Guidance
Immediate (within 24 hours):
Block or alert on outbound DNS and HTTPS traffic to 03cc.centrastage.net on perimeter controls and endpoint DNS filtering. Applies to all environments that do not use Datto RMM operationally.
Hunt for CagService running as a Windows service on all endpoints. Any instance outside of an approved Datto RMM deployment should be treated as a compromise indicator.
Search for the directory C:\ProgramData\CentraStage on endpoints where Datto RMM is not an approved tool.
Report the AccountUid zin738c0001 and device GUID 494d7e7c-f5e6-41a0-903c-b494fb0b8196 to Datto/Kaseya for abuse investigation and account suspension.
Short term (within one week):
Review HKLM\Software\Microsoft\Windows\CurrentVersion\Run across endpoints for unauthorized entries referencing CagService or CentraStage.
Update email gateway rules to flag or quarantine executable attachments and 7z archives from external unverified senders.
Deploy detection rules in EDR and SIEM for the behavioral sequence: NSIS installer execution → CagService registration → outbound HTTPS to Datto infrastructure.
Alert on SetFileSecurity calls originating from processes running in %ProgramData%.
Submit confirmed sample hashes to threat intelligence platforms for broader community visibility.
Ongoing:
Maintain an approved software inventory for RMM tools and alert on any RMM installation not in that inventory.
Monitor for new sample hashes exhibiting the same behavioral profile (Datto RMM dropped to ProgramData, same AccountUid pattern) as the actor recompiles weekly.
Closing Notes
The core risk in this campaign is the deliberate abuse of trusted enterprise infrastructure to make malicious activity invisible to conventional controls. The binary itself is a straightforward NSIS installer with standard anti-analysis techniques. What makes this campaign notable is the operational decision to route C2 through Datto RMM, which requires resources, planning, and active account management.
The most impactful immediate action is blocking the specific C2 subdomain (03cc.centrastage.net) and hunting for CagService on non-managed endpoints. These two controls directly sever the attacker's access and identify any already-compromised systems.
The actor is actively maintaining this campaign. New lures and recompiled samples should be expected. The IOCs in this report should be treated as a snapshot at the time of writing, not a complete picture.
Immediate next steps and owners:
Network/Firewall team: Block 03cc.centrastage.net
Endpoint/EDR team: Hunt for CagService, CentraStage directory
Threat Intel team: Submit hashes, contact Datto abuse team
Email Security team: Update gateway rules for .exe and .7z attachments
Appendices
RAT — Original Sample (Ano)
MD5: 6F78B42F66645FAE7A700F44E1364A90
SHA-1: F8362E5A4B4A319774B2D1CA53EDD351978E7B88
SHA-256: 367946476D515B2181D5B62E81442E2DBC1135063
SHA-512: 06789E50025F9C046A8FFDC56ED63776698590F94
Legitimate Datto Binaries downloaded hours later from same URL (Ano2, Ano3)
MD5: E2FD3EE09A91D8F39683FFB138A3A376
SHA-1: 434024E71EE095656B87A56DE0B05BCA0927CB69B
SHA-256: E38841C053ACFAB1DE2593BBE513C9C681B22E7E7
SHA-512: 8328A531F5DB1B63440B4A01F541296DCEB92174F
Note: Ano2 and Ano3 share identical hashes.
Previous week samples (same behavior, different hashes):
NorthwestSeafood
MD5: F109D5A80D759C1C5395A50DB9F0CEFE
OperaSetup
MD5: 8927C33A3FD6279FC14C943BF699ECCD
Adobe_Reader
MD5: D686623498ABB28A5DF797B9FF80A494
Provisio_Medical
MD5: 0EE2524E6BBDA04DBD881884DAA5CEEC
Payments slips
MD5: 815B76FC9B76E0E8D87642E5A78C59B7
Appendix B — File System Artifacts
C:\ProgramData\CentraStage\ Primary installation directory C:\ProgramData\CentraStage\CagService.exe C:\ProgramData\CentraStage\Gui.exe C:\ProgramData\CentraStage\log.txt NLog activity log C:\ProgramData\CentraStage\cagerrors.dat
Appendix C — Registry Artifacts
HKLM\Software\Microsoft\Windows\CurrentVersion\Run (value name pending) CagService configured for automatic startup
Appendix D — Network Indicators
C2 Domain: 03cc.centrastage.net
Port: 443 (HTTPS)
Appendix E — Static Analysis Notes
Packer: NSIS (Nullsoft Scriptable Install System)
Visible functions: 78 (remainder compressed via Huffman routine at fcn_004086f4)
API resolution: Dynamic via GetProcAddress, pointer table at 0x40a060 Key APIs resolved dynamically: KERNEL32: SetDefaultDllDirectories, GetDiskFreeSpaceExA, MoveFileExA, GetUserDefaultUILanguage
ADVAPI32: OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, InitiateShutdownA, RegDeleteKeyExA SHELL32: SHGetFolderPathA, Ordinal 680 Key APIs imported directly: ADVAPI32: Full registry suite (RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA, etc.), SetFileSecurity
USER32: ShellExecuteA, CreateWindowExA, CreateDialogParamA Locale check: Reads Control Panel\Desktop\ResourceLocale at startup Hidden window: WS_EX_TOOLWINDOW created for background operations Fake UI: RichEdit dialog displayed to victim during installation
Appendix F — References
MITRE ATT&CK T1219 — Remote Access Software https://attack.mitre.org/techniques/T1219/ MITRE ATT&CK T1566.001 — Spearphishing Attachment https://attack.mitre.org/techniques/T1566/001/ MITRE ATT&CK T1027.007 — Dynamic API Resolution https://attack.mitre.org/techniques/T1027/007/ Datto RMM Documentation https://rmm.datto.com NSIS (Nullsoft Scriptable Install System) https://nsis.sourceforge.io/
Appendix G — Revision History
2026-03-05 Initial version — base analysis 2026-03-05 Major update — static analysis complete, C2 config extracted, full IOC set (pending) uUpdate with complete registry key values and service name
A Shared Approach to Reducing Risk - A Note from Kaseya
Forta’s report highlights an industry-wide issue with malicious actors utilizing RMM tools to launch phishing attacks and gain unauthorized access to systems. While Datto RMM is recognized as an industry-leading RMM solution, it is just one of many such providers experiencing this issue.
Kaseya has implemented enhancements in business practices to mitigate the occurrences of malicious actors leveraging the access of the product to target potential victims, and these are proving to be effective. Kaseya will continue to adjust its business practices to limit the potential for malicious actors to leverage its RMM tools for the kinds of phishing attacks described in the report.
Kaseya continues to work closely with various partners and MSP community stakeholders, including Forta, to identify potential areas of improvement across its business practices and products to the benefit of customers and the overall community.
