Phishing Campaign Exploits Legitimate RMM Tools to Infiltrate 80+ Organizations, Researchers Warn

CyberDefender 11 mins0

Late last year, cybersecurity researchers uncovered a phishing operation designed to deceive users into installing remote monitoring software. At first glance, the activity appeared routine, but deeper investigation revealed a more layered and evolving threat.

The attackers primarily relied on LogMeIn Resolve (previously GoToResolve), a legitimate remote management tool, to gain unattended access to targeted systems. However, what makes this campaign noteworthy is what happened after initial access was achieved.

An example of one of the malicious lures

Follow-up analysis showed that in certain cases, the attackers didn’t stop at persistence. Instead, they escalated their operations by deploying additional tools, including ScreenConnect, to deliver further payloads. These included both information-stealing malware and additional remote access utilities.

The earliest signs of this campaign date back to April 2025, with a significant spike in activity observed between October and November 2025. Over 80 organizations were impacted, most of them based in the United States and spread across different industries.

This threat cluster is currently tracked as STAC6405. Some phishing infrastructure linked to this activity is still active, suggesting that the campaign may not be fully over.

Initial Infection Vector: Invitation-Based Phishing

The attackers relied heavily on social engineering. Victims received emails that appeared legitimate, often sent from compromised accounts belonging to trusted contacts. In other cases, the sender was unknown.

The emails typically used themes such as:

  • “SPECIAL INVITATION”
  • Event invites resembling Punchbowl invitations
  • Business-related requests like tender participation

Each email contained a link that led users to download a malicious binary. These binaries were hosted on attacker-controlled infrastructure but disguised as legitimate software installers.

Interestingly, the downloaded files were real LogMeIn Resolve binaries, but preconfigured to connect to attacker-owned accounts. This allowed the attackers to gain immediate remote access once the software was executed.

Domains observed in this campaign included:

  • mastorpasstop[.]top
  • evitereview[.]de
  • evitesecured[.]top

Some domains even mimicked branding associated with invitation platforms, reinforcing the deception.

Evolving Delivery Infrastructure

The threat actor demonstrated adaptability by changing the appearance of distribution sites over time.

For example:

  • One instance used a Microsoft Teams-themed interface
  • Later visits to the same domain showed a Norton-branded page

This variation may have been intentional to increase trust or could have been dynamically generated based on user environment factors.

Unlike similar campaigns reported elsewhere, researchers did not observe strict filtering based on operating system. In multiple cases, payloads were successfully downloaded across different environments.

Execution and Persistence Mechanism

Once executed, the installer performed the following actions:

  • Installed the RMM agent silently
  • Registered a Windows service with a unique identifier
  • Created a configuration file containing a hardcoded relay domain

This setup allowed attackers to maintain persistent and unattended access to the infected system.

Common filenames used in this campaign included:

  • Invitation.exe
  • ContractAgreementToSign.exe
  • invt-list2025.exe
  • SPCL_INVITE_RSVP_2025.exe
  • statmts_PDF-10.25.exe

In most cases, attackers stopped after establishing access. This behavior suggests possible involvement of Initial Access Brokers (IABs), who sell system access on underground markets.

Second-Stage Activity: Beyond Initial Access

Although many infections did not progress further, two incidents revealed more aggressive post-compromise activity.

Case 1: Infostealer Deployment

In one scenario, attackers quickly escalated their actions.

Within an hour of initial compromise:

  • A ZIP file (8776_6713_exe.zip) was downloaded via ScreenConnect
  • The archive contained:
    • HideMouse.exe
    • 8776_6713.exe

HideMouse.exe replaced the system cursor with an invisible one, likely to hide attacker activity.

8776_6713.exe was more concerning:

  • Packed using HeartCrypt (packer-as-a-service)
  • Injected malicious code into a legitimate binary
  • Delayed execution (4–9 minutes) to evade detection
  • Injected code into csc.exe (a known LOLbin)

It then established communication with:

  • 45[.]56.162.138

Capabilities Observed

The malware demonstrated classic infostealer behavior:

  • Extracting browser credentials and session data
  • Attempting to access cryptocurrency wallets
  • Collecting system information via WMI queries
  • Enumerating installed antivirus solutions
  • Scanning for imaging and camera devices

It also contained an encrypted payload decrypted using TripleDES, showing similarities with known malware families like ValleyRAT.

Case 2: Multi-RMM Deployment

In another incident, attackers used a different approach.

Instead of LogMeIn Resolve, the initial payload deployed ScreenConnect, configured to connect to:

  • relay[.]aceheritagehouse[.]top:8041

Once connected:

  • The system joined as a guest session
  • Attackers gained direct interactive access

Additional payloads included:

  • RemoteAccess.jar
  • jwrapper_utils.jar
  • Remote Access.exe

These components leveraged Java runtime environments and tools like SimpleService.exe to establish persistence.

The behavior suggests links to SimpleHelp, another legitimate RMM platform.

Fortunately, this incident was contained before further damage occurred.

MITRE ATT&CK Mapping

The campaign aligns with several MITRE ATT&CK techniques:

  • Initial Access: Spearphishing Link (T1566.002)
  • Execution: Malicious File (T1204.002)
  • Defense Evasion: Delayed Execution (T1678)
  • Credential Access: Browser Credential Dumping (T1555.003)
  • Discovery:
    • Software Discovery (T1518.001)
    • System Information Discovery (T1082)
  • Collection: Automated Collection (T1119)
  • Command & Control:
    • Remote Access Software (T1219)
    • Encrypted Channels (T1573)

Detection and Protection Measures

Security tools have identified multiple detections related to this campaign:

  • win-prot-rep-pua-generic-reputation-pua
  • win-prot-hmpa-malware-hollowprocess
  • Troj/Steal-FGV
  • Troj/HCrypt-D

Recommended Actions

Organizations should consider:

  • Restricting unauthorized RMM tool installations
  • Removing unused remote access software
  • Blocking known malicious domains
  • Strengthening credential management practices
  • Monitoring unusual RMM activity

Additionally, detection queries can help identify:

  • Suspicious process execution
  • New RMM installations
  • Active remote sessions
  • File transfers through remote tools

Conclusion

This campaign highlights a growing trend in cyber threats: the use of legitimate tools for malicious purposes. By leveraging trusted software, attackers reduce their chances of detection and blend into normal operations.

The inconsistent second-stage activity raises questions. It is possible that:

  • Access was sold to other attackers
  • Different payloads were being tested
  • Only selected systems were targeted for deeper exploitation

Despite these uncertainties, one fact remains clear: attackers are becoming more subtle, patient, and adaptive.

Our Analysis and Opinion

From a defensive standpoint, this campaign represents a shift toward quieter and more strategic intrusion methods. Instead of relying heavily on obvious malware, the attackers focus on gaining legitimate access through trusted tools. This makes detection significantly harder, especially in environments where remote management software is commonly used.

What stands out is the selective nature of post-compromise actions. Not every infected system was exploited further, which suggests deliberate targeting or a staged operational model. This behavior aligns with modern cybercrime ecosystems where initial access is treated as a commodity.

Another important observation is the blending of legitimate and malicious activity. By using tools like ScreenConnect and LogMeIn Resolve, attackers effectively hide in plain sight. Traditional signature-based detection struggles in such scenarios, emphasizing the need for behavioral monitoring and anomaly detection.

In our view, organizations must rethink how they trust software rather than just focusing on whether it is malicious. Even legitimate tools can become attack vectors when misused.

Overall, this campaign is not just about phishing—it reflects a broader evolution in attacker strategy, where stealth, patience, and misuse of trusted systems define the threat landscape.

CyberDefender