Back to Intelligence

Cryptojacking and the Risk of Tool Sprawl: Why Your Disconnected RMM is a Liability

SA
AlertMonitor Team
June 5, 2026
6 min read

You’ve likely seen the recent reports: a sophisticated cryptojacking campaign is actively abusing AI chatbots and poisoned SEO to trick users into downloading malicious utilities like CrystalDiskInfo. Once executed, these payloads drop a hidden ScreenConnect (ConnectWise Control) client, giving attackers persistent remote access to high-end GPUs for mining cryptocurrency.

For IT managers and MSPs, this isn't just a malware headline; it’s a structural warning. It highlights a critical blind spot in how we manage endpoints today: the disconnect between what we monitor and what we can remotely manage.

The Operational Nightmare of Fragmented Tools

In many MSPs and internal IT departments, the ecosystem is a mess of disconnected point solutions. You have one tool for server uptime (monitoring), a completely different console for remote access (RMM), and a third platform for ticketing.

When a cryptojacker—or even just a failing driver—hits a high-performance workstation, here is the typical fragmented workflow:

  1. The Alert: Your monitoring system flags a device for sustained 100% GPU utilization.
  2. The Context Switch: You receive the alert, log out of the monitoring console, and log into your separate RMM platform.
  3. The Hunt: You search for the device in the RMM. If the agent isn’t communicating perfectly, you might not even see it.
  4. The Guesswork: You attempt a remote session, but the RMM doesn't automatically pull up the monitoring timeline showing exactly when the spike started. Did the user install something? Did a service change?

This siloed architecture costs you the one thing you can't get back: time. In the case of the ScreenConnect cryptojacking campaign, the attackers rely on speed and stealth. By the time your technician has tab-switched between three different tools to correlate high GPU usage with a suspicious new service, the malware has already established persistence.

Why Traditional RMM Platforms Miss the Mark

The core issue is legacy architecture. Traditional RMMs were built as "remote control" tools, while monitoring systems were built as "ping" tools. They weren't designed to share a heartbeat.

  • Data Silos: Your monitoring tool knows the server is choking, but your RMM doesn't care until the agent goes offline.
  • Audit Gaps: When a technician uses a standalone RMM to push a script or fix a registry key, that action often vanishes into a void. It doesn't appear in the central monitoring timeline. If a break-fix causes a side effect two hours later, your helpdesk has no record of what changed.

For an MSP managing 50+ clients, this is a disaster. You might have a rogue ScreenConnect instance running on a client's design workstation, but because your "Software Inventory" module doesn't talk to your "Remote Access" logs, you miss it entirely—until the client calls complaining their CAD renders are crawling.

How AlertMonitor Solves This: Unified RMM & Monitoring

AlertMonitor replaces the stack of disjointed tools with a single, unified platform. We believe that monitoring and management are two sides of the same coin. You cannot effectively respond to an alert if you have to leave the screen where the alert appeared to fix it.

Here is how the AlertMonitor workflow changes the outcome:

  1. Single Pane of Glass: You receive an alert for high GPU usage on a Windows endpoint. You click the alert.
  2. Instant Context: The side-panel opens immediately, showing you the device’s live performance data, recent patch history, and currently installed software.
  3. Built-in Remote Management: Without opening a new tab or logging into a VPN, you click the "Remote Session" button directly from the alert context.
  4. Scripted Remediation: You see a suspicious service in the background. You drag a pre-built PowerShell script from your AlertMonitor library and drop it onto the device to enumerate services.
  5. Unified Timeline: The script executes, and the output is logged directly into the device's timeline in AlertMonitor—right next to the original GPU alert.

This isn't just convenient; it’s a force multiplier. By removing the friction between "seeing" a problem and "fixing" it, you reduce Mean Time To Resolution (MTTR) from hours to minutes.

Practical Steps: Auditing Remote Services

In light of attacks abusing legitimate remote tools like ScreenConnect, IT admins need a quick way to inventory and validate remote access services across their fleet. With AlertMonitor, you can push a script to thousands of endpoints in seconds to verify which remote access agents are actually running.

Here is a practical PowerShell script you can deploy via AlertMonitor's RMM to list services related to common remote access tools (ScreenConnect, Splashtop, TeamViewer, AnyDesk). This helps you ensure only authorized tools are active.

PowerShell
# Get services related to common remote access tools
$RemoteServices = @(
    "ScreenConnect",
    "SplashtopRemoteService",
    "TeamViewer",
    "AnyDesk"
)

$Results = Get-Service | Where-Object { $RemoteServices -match $_.Name } 

if ($Results) {
    Write-Output "Found the following remote access services:"
    $Results | Format-Table Name, DisplayName, Status, StartType -AutoSize
} else {
    Write-Output "No common third-party remote access services detected."
}

You can also use a quick Bash check for Linux endpoints to see if high-utilization processes are running, which might indicate mining activity.

Bash / Shell
# Check top CPU consuming processes
echo "Top 5 CPU consuming processes:"
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head -n 6

By running these scripts centrally through AlertMonitor, the results are instantly aggregated in your dashboard. You aren't just guessing if a machine is compromised; you have the data to prove it, and the remote tools to do something about it immediately.

Stop Switching Tabs. Start Solving Problems.

The cryptojacking campaigns of the world are getting smarter, leveraging AI and legitimate tools to hide in plain sight. Your response strategy cannot rely on five different browser tabs and manual context switching. You need a platform where your monitoring data feeds your remote management actions instantly.

AlertMonitor gives your IT team the visibility and speed they need to manage the entire environment from one tool. Don't let tool sprawl be the reason an attacker stays on your network.

Related Resources

AlertMonitor RMM & Remote Management AlertMonitor Platform Overview Book a Demo RMM & Remote Management Resources

rmmremote-managementremote-supportendpoint-managementalertmonitorcryptojackingscreenconnectwindows-server

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action