LogMeIn Resolve and ConnectWise ScreenConnect Abused in Phishing Attacks
Key Takeaways A sophisticated phishing campaign targeted over 80 U.S. organizations across various sectors. Attackers leveraged legitimate remote monitoring and management (RMM) tools, LogMeIn...
Key Takeaways
- A sophisticated phishing campaign targeted over 80 U.S. organizations across various sectors.
- Attackers leveraged legitimate remote monitoring and management (RMM) tools, LogMeIn Resolve and ConnectWise ScreenConnect, to gain initial access.
- The initial access was often sold by initial access brokers (IABs), but in some cases, led to the deployment of information stealer malware like ValleyRAT or Java-based RATs.
- The campaign utilized convincing phishing lures, including fake event invitations and tender notices, and deployed preconfigured legitimate RMM installers.
A sophisticated phishing operation has been actively targeting organizations across the United States, exploiting legitimate remote monitoring and management (RMM) software, specifically LogMeIn Resolve and ConnectWise ScreenConnect, to circumvent security measures and establish unauthorized access to victim systems. This multi-stage campaign, detailed in a recent analysis, sidestepped the initial deployment of traditional malware, instead weaponizing trusted software to quietly gain a foothold within targeted networks before potentially escalating privileges or selling access.
Table Of Content
The campaign’s origins trace back to April 2025, with the majority of malicious activities observed between October and November of the same year. More than 80 organizations spanning diverse industry sectors throughout the U.S. fell victim to these attacks.
Phishing Lures and Initial Compromise
Attackers initiated contact via phishing emails, some originating from compromised third-party accounts belonging to known and trusted contacts, lending an air of legitimacy to the messages. Other emails came from entirely unknown senders. Many of these deceptive communications were crafted to resemble Punchbowl event invitations, bearing subject lines such as “SPECIAL INVITATION,” while others mimicked tender solicitation notices.
Each email contained a malicious link directing recipients to attacker-controlled distribution sites. These sites hosted legitimate LogMeIn Resolve installers that were preconfigured to register the victim’s device to an account fully owned and operated by the attackers. Sophos analysts and researchers, who identified and tracked this threat activity cluster as STAC6405, noted the attackers’ dynamic infrastructure. The distribution sites frequently shifted, employing themed landing pages that mimicked legitimate services like Microsoft Teams or Norton security software, potentially adapting to user location or browser characteristics.
The malicious installer files were given innocuous names such as Invitation.exe, ContractAgreementToSign.exe, and statmtsPDF10.25.exe to further deceive victims.
Post-Compromise Activity: Initial Access Brokers and Malware Deployment
Upon execution of the downloaded file, attackers gained unattended remote access via the LogMeIn Resolve platform. The installed agent wrote a configuration file to disk containing a hard-coded relay domain controlled by the attacker and registered a Windows service using a unique ID linked to that specific configuration.
In the majority of observed incidents, the attack halted at this initial access stage. Threat actors typically remained dormant after gaining entry, a common characteristic of initial access broker (IAB) operations. In such cases, the stolen access is then quietly sold on underground criminal marketplaces for further exploitation by other threat groups.
Multi-Stage Payload Delivery
However, in two notable incidents, the attackers swiftly escalated their operations to a second stage. In the first instance, they exploited a pre-existing installation of ConnectWise ScreenConnect on the victim’s machine to download a ZIP archive. This archive was packed using the HeartCrypt Packer-as-a-Service tool and contained two files: HideMouse.exe, a utility designed to replace the visible mouse cursor with a transparent one, effectively concealing remote on-screen activity from the user, and 87766713.exe, a piece of malware that Sophos researchers determined exhibited behavioral similarities to ValleyRAT.
Once executed, this information stealer remained idle for four to nine minutes. This deliberate delay is a tactic often employed to bypass sandbox analysis and heuristic detection tools. Following the delay, the malware injected code into csc.exe, a legitimate Microsoft binary frequently abused as a living-off-the-land binary (LOLbin). The malware then established a connection to a command-and-control server and commenced harvesting sensitive data, including browser-stored credentials, session tokens, cryptocurrency wallet information, and system details. An embedded encrypted payload was decrypted at runtime using TripleDES cryptography.
In the second incident, the downloaded binary launched a ConnectWise ScreenConnect client as a service alongside a Java-based remote access tool. The attacker immediately began enumerating firewall rules before Sophos, in collaboration with the affected organization, successfully contained the breach.
What You Should Do
- Restrict Software Installations: Implement strict application control policies to limit software installations to an approved whitelist.
- Enforce Strong Credential Hygiene: Mandate the use of secure password managers or passkeys to strengthen authentication.
- Review RMM Tool Usage: Periodically audit and remove RMM tools like LogMeIn Resolve and ConnectWise ScreenConnect if they are not essential for daily business operations.
- Block Unauthorized RMM Tools: Utilize application control policies to actively block any unauthorized RMM tools from running on your network.
- Block Indicators of Compromise: Promptly block all known URLs and indicators of compromise associated with this campaign across all network entry points and security solutions.
- Employee Training: Conduct regular cybersecurity awareness training to educate employees about phishing tactics and the dangers of clicking suspicious links or opening unsolicited attachments.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.