Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Posted on By CWS

Ravie LakshmananJan 23, 2026Email Safety / Endpoint Safety
Cybersecurity researchers have disclosed particulars of a brand new dual-vector marketing campaign that leverages stolen credentials to deploy reliable Distant Monitoring and Administration (RMM) software program for persistent distant entry to compromised hosts.
“As a substitute of deploying customized viruses, attackers are bypassing safety perimeters by weaponizing the mandatory IT instruments that directors belief,” KnowBe4 Menace Labs researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke stated. “By stealing a ‘skeleton key’ to the system, they flip reliable Distant Monitoring and Administration (RMM) software program right into a persistent backdoor.”
The assault unfolds in two distinct waves, the place the risk actors leverage faux invitation notifications to steal sufferer credentials, after which leverage these pilfered credentials to deploy RMM instruments to determine persistent entry.

The bogus emails are disguised as an invite from a reliable platform known as Greenvelope, and goal to trick recipients into clicking on a phishing URL that is designed to reap their Microsoft Outlook, Yahoo!, AOL.com login data. As soon as this data is obtained, the assault strikes to the subsequent part.
Particularly, this entails the risk actor registering with LogMeIn utilizing the compromised e mail to generate RMM entry tokens, that are then deployed in a follow-on assault by an executable named “GreenVelopeCard.exe” to determine persistent distant entry to sufferer techniques.
The binary, signed with a legitimate certificates, comprises a JSON configuration that acts as a conduit to silently set up LogMeIn Resolve (previously GoTo Resolve) and connect with an attacker-controlled URL with out the sufferer’s data.
With the RMM instrument now deployed, the risk actors weaponize the distant entry to change its service settings in order that it runs with unrestricted entry on Home windows. The assault additionally establishes hidden scheduled duties to robotically launch the RMM program even when it is manually terminated by the consumer.
To counter the risk, it is suggested that organizations monitor for unauthorized RMM installations and utilization patterns.

The Hacker News Tags:, , , , , , , ,

Related Posts

Taiwan NSB Alerts Public on Data Risks from TikTok, Weibo, and RedNote Over China Ties Taiwan NSB Alerts Public on Data Risks from TikTok, Weibo, and RedNote Over China Ties The Hacker News
Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware The Hacker News
Bloody Wolf Expands Java-based NetSupport RAT Attacks in Kyrgyzstan and Uzbekistan Bloody Wolf Expands Java-based NetSupport RAT Attacks in Kyrgyzstan and Uzbekistan The Hacker News
Think Your IdP or CASB Covers Shadow IT? These 5 Risks Prove Otherwise Think Your IdP or CASB Covers Shadow IT? These 5 Risks Prove Otherwise The Hacker News
Airline Hacks, Citrix 0-Day, Outlook Malware, Banking Trojans and more Airline Hacks, Citrix 0-Day, Outlook Malware, Banking Trojans and more The Hacker News
Chrome 0-Day, 7.3 Tbps DDoS, MFA Bypass Tricks, Banking Trojan and More Chrome 0-Day, 7.3 Tbps DDoS, MFA Bypass Tricks, Banking Trojan and More The Hacker News