Most RMM detection guidance focuses on a specific threat pattern: an attacker who has gained initial access drops or installs a legitimate RMM client (AnyDesk, ScreenConnect, TeamViewer) and uses it as a persistent backdoor. That threat is real, but it describes an attacker using RMM software they brought with them.

A different and more dangerous pattern emerged clearly in 2026: attackers exploiting vulnerabilities in RMM server infrastructure — the management plane that IT teams use to administer endpoints — to gain the same access level as legitimate technicians. When CVE-2026-48558, a CVSS 10.0 authentication bypass in SimpleHelp, hit active exploitation in June 2026, it highlighted how fundamentally different this detection problem is.

In this scenario, there are no unauthorised processes to detect. The attacker has a valid authenticated technician session. The file transfers, remote command execution, and lateral movement all appear as legitimate IT activity in the RMM server’s own audit logs. Detection requires working from different signals: anomalous session characteristics, unusual payload delivery patterns, and the downstream infostealer activity that follows.

Understanding the Attack Chain

The CVE-2026-48558 attack chain, as documented in active exploitation, has three distinct stages:

Stage 1: RMM session compromise. The attacker submits a forged OIDC token to the SimpleHelp server’s authentication endpoint. No credentials required, no user interaction needed. The server issues a fully authenticated technician session. From this point, the attacker has the same access as legitimate IT staff: file transfer to managed endpoints, remote command execution, access to the complete managed estate.

Stage 2: TaskWeaver stager deployment. The attacker uses the technician session to transfer a file named jquery.js to victim endpoints. This file, delivered over Cloudflare CDN infrastructure, is an obfuscated JavaScript stager that establishes TaskWeaver: an encrypted payload delivery channel. TaskWeaver runs via node.exe, fingerprints the system, and retrieves the final payload from a remote staging server.

Stage 3: Djinn Stealer execution. The final payload is Djinn Stealer, a cross-platform infostealer targeting AWS, Azure, GCP, GitHub, SSH keys, Docker credentials, npm tokens, AI API keys (Claude, Gemini, OpenAI Codex), cryptocurrency wallets, and browser-stored credentials.

The name jquery.js and execution via node.exe are key detection anchors for stage 2.

Detection: Stage 1 — Session Anomalies

Detecting the forged OIDC authentication requires log access to the RMM server itself. For SimpleHelp and similar platforms, look for:

Authentication without prior credential presentation. Legitimate OIDC flows involve redirects to the identity provider and back. A forged token authentication bypasses this — the RMM server logs should show an authenticated session establishment without a preceding redirect sequence. This requires RMM server-level authentication logs, not endpoint telemetry.

Technician session activity at unusual hours. Attacker-controlled technician sessions often operate outside the normal working hours of your IT team. Baseline technician activity timing and alert on sessions that initiate file transfers or remote command execution outside expected windows.

File transfer from unusual session source IPs. RMM technician sessions should originate from known IT management hosts or VPN exit nodes. Sessions originating from commercial VPS infrastructure, residential IPs, or tor exit nodes warrant investigation.

Sigma rule (SimpleHelp session anomaly):

title: SimpleHelp Technician Session from Unusual Source
id: 8a4f1b2c-3d5e-6f7a-8b9c-0d1e2f3a4b5c
status: experimental
description: Detects technician session activity in SimpleHelp from IP ranges not consistent with known IT management sources
logsource:
  product: simplehelp
  category: authentication
detection:
  selection:
    eventType: 'TECHNICIAN_SESSION_START'
  filter_known_sources:
    sourceIP|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter_known_sources
falsepositives:
  - Legitimate technicians working remotely from non-corporate IPs (review and adjust filter)
level: high
tags:
  - attack.initial_access
  - attack.t1078.004

Detection: Stage 2 — TaskWeaver Stager (node.exe Execution)

This is the highest-confidence detection point. node.exe executing a file named jquery.js from a non-standard path is a clear signal. Legitimate Node.js applications in enterprise environments generally run from known application directories, not temp paths or user-writable locations.

Sigma rule (TaskWeaver via node.exe):

title: Suspicious Node.exe Executing jQuery-Named File
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects node.exe executing a file named jquery.js from a non-standard path — consistent with TaskWeaver stager delivery observed in CVE-2026-48558 exploitation campaigns
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\node.exe'
    CommandLine|contains: 'jquery.js'
  filter_legitimate:
    CommandLine|contains:
      - '\node_modules\'
      - '\AppData\Roaming\npm\'
  condition: selection and not filter_legitimate
falsepositives:
  - Development environments running jQuery-based tooling via Node
level: critical
tags:
  - attack.execution
  - attack.t1059.007

KQL (Microsoft Sentinel / MDE):

DeviceProcessEvents
| where FileName =~ "node.exe"
| where ProcessCommandLine contains "jquery.js"
| where not(ProcessCommandLine contains @"\node_modules\")
| where not(ProcessCommandLine contains @"\AppData\Roaming\npm\")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, 
          InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

Additional Stage 2 indicators:

  • node.exe making outbound HTTPS connections to Cloudflare CDN addresses not associated with normal application traffic
  • Execution of JavaScript files from %TEMP%, %APPDATA%, or C:\Users\Public
  • node.exe spawned by an RMM client process (SimpleHelp agent, ScreenConnect client) as parent
DeviceProcessEvents
| where FileName =~ "node.exe"
| where InitiatingProcessFileName in~ ("SimpleHelpClient.exe", "SimpleHelpService.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

Detection: Stage 3 — Djinn Stealer Activity

Djinn Stealer is a cross-platform infostealer. Its post-execution activity produces several detectable patterns:

Credential file access. The stealer accesses browser credential stores, OS credential stores, and application-specific credential files. Key paths on Windows:

DeviceFileEvents
| where ActionType == "FileRead"
| where FolderPath has_any (
    @"AppData\Local\Google\Chrome\User Data\Default\Login Data",
    @"AppData\Roaming\Mozilla\Firefox\Profiles",
    @"AppData\Local\Microsoft\Credentials",
    @"AppData\Roaming\1Password",
    @"AppData\Local\1Password",
    @".aws\credentials",
    @".ssh\id_rsa",
    @".ssh\id_ed25519"
  )
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, AccountName, FolderPath, InitiatingProcessFileName

AI API key file access. Djinn Stealer specifically targets AI API key storage locations:

DeviceFileEvents
| where ActionType == "FileRead"
| where FolderPath has_any (
    @"AppData\Roaming\claude",
    @".anthropic",
    @".openai",
    @".gemini",
    @"AppData\Roaming\Cursor",
    @"AppData\Roaming\Windsurf"
  )
| where InitiatingProcessFileName !in~ ("claude.exe", "Cursor.exe")

Outbound data exfiltration. Djinn Stealer exfiltrates credential packages to a remote C2 host. Look for unusual outbound HTTPS from processes that do not typically make external connections:

DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemotePort == 443
| where InitiatingProcessFileName in~ ("node.exe")
| where not(RemoteUrl has_any ("microsoft.com", "windows.com", "npm.org", "nodejs.org"))
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName

Sigma rule (credential store access by stager process):

title: Credential Store Access by Node.js Process
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects Node.js processes accessing OS or browser credential stores — consistent with Djinn Stealer credential harvesting
logsource:
  category: file_access
  product: windows
detection:
  selection_process:
    Image|endswith: '\node.exe'
  selection_paths:
    TargetFilename|contains:
      - '\Login Data'
      - '\Microsoft\Credentials'
      - '\.aws\credentials'
      - '\.ssh\id_rsa'
      - '\.ssh\id_ed25519'
  condition: selection_process and selection_paths
level: critical
tags:
  - attack.credential_access
  - attack.t1555

Hunting for Compromised RMM Infrastructure

If you suspect your RMM server has been targeted rather than individual endpoints, the following hunting queries help identify evidence of attacker-controlled technician sessions:

RMM-initiated process execution on multiple systems in rapid succession. Legitimate IT technicians don’t typically execute processes on 20 endpoints within five minutes. High-velocity remote execution across a large number of managed systems is a compromise indicator.

File delivery of the same filename across multiple endpoints. Spreading jquery.js (or any identically-named file) to a large number of managed endpoints in a short window is a strong signal of automated RMM-based delivery.

Endpoint telemetry correlation with RMM audit logs. If your RMM server maintains audit logs (it should), correlate endpoint-level file creation events and process executions with technician session IDs in the RMM audit trail. Files created on an endpoint that don’t correlate to a known technician’s session activity indicate either a compromised session or an attacker operating via the RMM server directly.

Response Actions

Immediate isolation. Endpoints that have executed suspicious node.exe invocations should be isolated from the network immediately. Djinn Stealer exfiltrates in the same session window — cutting network access limits the credential harvesting window.

RMM server credential rotation. If the RMM server was compromised, all technician credentials should be rotated. Any managed-endpoint credentials stored in the RMM server’s configuration or accessible via the technician portal should be treated as compromised.

AI API key rotation. Given Djinn Stealer’s specific targeting of Claude, OpenAI, and Gemini API keys, any organisation with developers using AI coding tools should rotate API keys as a priority action following a confirmed Djinn Stealer deployment.

Patch first. SimpleHelp CVE-2026-48558 has had a patch available since June 2026. Any unpatched SimpleHelp instance should be treated as compromised until forensic triage confirms otherwise, and patching cannot wait on the triage timeline.

The detection principles here generalise beyond CVE-2026-48558 to any scenario where an attacker gains valid RMM technician access — whether through vulnerability exploitation, credential theft, or social engineering. The signal is in the anomalous behaviour of legitimate tools, not in the presence of obviously malicious software.