Researchers have raised fresh concerns about GoTo Resolve, a popular remote administration and IT support tool, after discovering behavior that mirrors techniques commonly used in ransomware attacks. While GoTo Resolve is widely trusted by IT teams to manage and support systems remotely, new findings suggest that at least one of its components could unintentionally introduce serious security risks if left unchecked.

The issue doesn’t suggest malicious intent by the developers. Instead, experts warn that certain design choices may be exploited by attackers or misused in ways that undermine system security—especially in environments where the software is installed without strict oversight.

Silent Installation Raises Red Flags

The findings come from the Lat61 Threat Intelligence Team at Point Wild, which analyzed a GoTo Resolve component flagged as HEURRemoteAdmin.GoToResolve.gen. According to the researchers, this component is capable of installing and running silently on a system, without alerting the user or displaying any obvious interface.

From a cybersecurity standpoint, silent installations are always a cause for concern. When software runs quietly in the background, users may have no idea it’s active, making it harder to spot unusual or unauthorized activity. Security professionals worry that this kind of behavior creates an unexpected access point—one that could potentially be abused if attackers find a way to leverage it.

Hidden Processes and Potential Abuse

Researchers also noted that the component buries itself deep within the file system and operates without visible notifications or user interaction. While this approach may be intended to ensure seamless remote support, it also resembles techniques used by malicious software to avoid detection.

This lack of visibility effectively creates what experts describe as an “unlocked window.” If threat actors gain access through other means, such a hidden and trusted process could make it easier for them to maintain control over a compromised system without raising alarms.

Use of a System Library Linked to Ransomware

One of the most troubling discoveries involves the way GoTo Resolve loads a Windows system library known as RstrtMgr.dll. On its own, this file is legitimate and plays a normal role within the Windows operating system. However, it has also been used by well-known ransomware groups, including Conti and Cactus, to terminate antivirus software and disable defenses that might interfere with malicious activity.

Seeing the same library loaded quietly in the background is what prompted researchers to draw parallels with ransomware tactics. While GoTo Resolve is not ransomware, the overlap in techniques highlights how legitimate tools can resemble—or even enable—dangerous behavior under the wrong circumstances.

Trust, Signatures, and False Confidence

Because GoTo Resolve is digitally signed by its developer, many security products automatically trust it and allow it to run with minimal restrictions. However, experts stress that a valid digital signature only confirms the software’s origin—it doesn’t guarantee that it can’t be misused, exploited, or turned into a tool for attackers.

What Organizations Should Do

Cybersecurity professionals recommend treating this kind of silent behavior with caution. Unless GoTo Resolve is explicitly approved and actively managed by an organization’s security team, it may pose unnecessary risk. Removing the software from systems where it isn’t essential—and closely monitoring where it is used—can significantly reduce the chances of compromise.