Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Threats/LogMeIn Resolve and ConnectWise ScreenConnect Abused in Phishing Attacks
Threats

LogMeIn Resolve and ConnectWise ScreenConnect Abused in Phishing Attacks

Key Takeaways A sophisticated phishing campaign targeted over 80 U.S. organizations across various sectors. Attackers leveraged legitimate remote monitoring and management (RMM) tools, LogMeIn...

Sarah simpson
Sarah simpson
April 7, 2026 4 Min Read
40 0

Key Takeaways

  • A sophisticated phishing campaign targeted over 80 U.S. organizations across various sectors.
  • Attackers leveraged legitimate remote monitoring and management (RMM) tools, LogMeIn Resolve and ConnectWise ScreenConnect, to gain initial access.
  • The initial access was often sold by initial access brokers (IABs), but in some cases, led to the deployment of information stealer malware like ValleyRAT or Java-based RATs.
  • The campaign utilized convincing phishing lures, including fake event invitations and tender notices, and deployed preconfigured legitimate RMM installers.

A sophisticated phishing operation has been actively targeting organizations across the United States, exploiting legitimate remote monitoring and management (RMM) software, specifically LogMeIn Resolve and ConnectWise ScreenConnect, to circumvent security measures and establish unauthorized access to victim systems. This multi-stage campaign, detailed in a recent analysis, sidestepped the initial deployment of traditional malware, instead weaponizing trusted software to quietly gain a foothold within targeted networks before potentially escalating privileges or selling access.

Table Of Content

  • Key Takeaways
  • Phishing Lures and Initial Compromise
  • Post-Compromise Activity: Initial Access Brokers and Malware Deployment
  • Multi-Stage Payload Delivery
  • What You Should Do

The campaign’s origins trace back to April 2025, with the majority of malicious activities observed between October and November of the same year. More than 80 organizations spanning diverse industry sectors throughout the U.S. fell victim to these attacks.

Phishing Lures and Initial Compromise

Attackers initiated contact via phishing emails, some originating from compromised third-party accounts belonging to known and trusted contacts, lending an air of legitimacy to the messages. Other emails came from entirely unknown senders. Many of these deceptive communications were crafted to resemble Punchbowl event invitations, bearing subject lines such as “SPECIAL INVITATION,” while others mimicked tender solicitation notices.

Each email contained a malicious link directing recipients to attacker-controlled distribution sites. These sites hosted legitimate LogMeIn Resolve installers that were preconfigured to register the victim’s device to an account fully owned and operated by the attackers. Sophos analysts and researchers, who identified and tracked this threat activity cluster as STAC6405, noted the attackers’ dynamic infrastructure. The distribution sites frequently shifted, employing themed landing pages that mimicked legitimate services like Microsoft Teams or Norton security software, potentially adapting to user location or browser characteristics.

The malicious installer files were given innocuous names such as Invitation.exe, ContractAgreementToSign.exe, and statmtsPDF10.25.exe to further deceive victims.

Post-Compromise Activity: Initial Access Brokers and Malware Deployment

Upon execution of the downloaded file, attackers gained unattended remote access via the LogMeIn Resolve platform. The installed agent wrote a configuration file to disk containing a hard-coded relay domain controlled by the attacker and registered a Windows service using a unique ID linked to that specific configuration.

In the majority of observed incidents, the attack halted at this initial access stage. Threat actors typically remained dormant after gaining entry, a common characteristic of initial access broker (IAB) operations. In such cases, the stolen access is then quietly sold on underground criminal marketplaces for further exploitation by other threat groups.

Multi-Stage Payload Delivery

However, in two notable incidents, the attackers swiftly escalated their operations to a second stage. In the first instance, they exploited a pre-existing installation of ConnectWise ScreenConnect on the victim’s machine to download a ZIP archive. This archive was packed using the HeartCrypt Packer-as-a-Service tool and contained two files: HideMouse.exe, a utility designed to replace the visible mouse cursor with a transparent one, effectively concealing remote on-screen activity from the user, and 87766713.exe, a piece of malware that Sophos researchers determined exhibited behavioral similarities to ValleyRAT.

Once executed, this information stealer remained idle for four to nine minutes. This deliberate delay is a tactic often employed to bypass sandbox analysis and heuristic detection tools. Following the delay, the malware injected code into csc.exe, a legitimate Microsoft binary frequently abused as a living-off-the-land binary (LOLbin). The malware then established a connection to a command-and-control server and commenced harvesting sensitive data, including browser-stored credentials, session tokens, cryptocurrency wallet information, and system details. An embedded encrypted payload was decrypted at runtime using TripleDES cryptography.

In the second incident, the downloaded binary launched a ConnectWise ScreenConnect client as a service alongside a Java-based remote access tool. The attacker immediately began enumerating firewall rules before Sophos, in collaboration with the affected organization, successfully contained the breach.

What You Should Do

  • Restrict Software Installations: Implement strict application control policies to limit software installations to an approved whitelist.
  • Enforce Strong Credential Hygiene: Mandate the use of secure password managers or passkeys to strengthen authentication.
  • Review RMM Tool Usage: Periodically audit and remove RMM tools like LogMeIn Resolve and ConnectWise ScreenConnect if they are not essential for daily business operations.
  • Block Unauthorized RMM Tools: Utilize application control policies to actively block any unauthorized RMM tools from running on your network.
  • Block Indicators of Compromise: Promptly block all known URLs and indicators of compromise associated with this campaign across all network entry points and security solutions.
  • Employee Training: Conduct regular cybersecurity awareness training to educate employees about phishing tactics and the dangers of clicking suspicious links or opening unsolicited attachments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Iran-linked hackers exploit Microsoft 365 tenants with password spray attacks

Next Post

Critical Android Vulnerability CVE-2023-21108 Allows Remote DoS Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us