A sophisticated phishing campaign has recently targeted numerous organizations across the United States by exploiting trusted remote monitoring and management (RMM) tools. These tools are being used to bypass security measures and gain unauthorized access to systems.
Utilizing Legitimate Software for Unauthorized Access
Rather than deploying conventional malware immediately, these cyber attackers have weaponized legitimate applications such as LogMeIn Resolve and ScreenConnect. This approach allows them to quietly infiltrate networks and establish a presence before executing further malicious activities.
The campaign, identified as beginning around April 2025, saw a significant surge in activity between October and November of the same year. Over 80 organizations from various sectors were impacted, indicating a widespread and coordinated effort.
Phishing Tactics and Distribution Strategies
The attackers initiated contact through phishing emails. Some were sent from compromised accounts of known contacts, while others originated from unknown sources, making them appear trustworthy. These emails often mimicked event invitations or tender notices, with subject lines like “SPECIAL INVITATION.”
Within these emails were links to distribution sites under the attackers’ control. These sites hosted legitimate LogMeIn Resolve installers, preconfigured to register the victim’s device to accounts controlled by the attackers.
Investigation and Defense Measures
Sophos analysts have identified this threat activity cluster as STAC6405. Their investigation revealed that the attackers frequently changed the distribution infrastructure, using themed landing pages resembling Microsoft Teams or Norton security interfaces to tailor delivery based on user attributes.
Once a victim executed the downloaded file, the attackers gained remote access via LogMeIn Resolve. The installed agent then configured a hard-coded relay domain and registered a unique Windows service, setting the stage for potential further exploitation.
In some cases, attackers moved quickly to a second stage, using pre-existing installations of ScreenConnect to deploy additional malicious tools, such as the HeartCrypt Packer-as-a-Service. This enabled further data harvesting and system manipulation.
Recommendations for Organizations
To mitigate these threats, organizations are advised to limit software installations to an approved list, enforce strong credential policies, and remove unnecessary RMM tools. Blocking unauthorized RMM tools through application control policies is also recommended.
It’s crucial to immediately block any URLs and indicators of compromise associated with this campaign across all network entry points to prevent further breaches.
Stay informed and protect your organization by following our updates on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for more instant updates.
