Threat Actors Exploit LogMeIn Resolve, ScreenConnect in Phishing Campaigns

Cybercriminals are exploiting legitimate remote monitoring and management (RMM) tools LogMeIn Resolve and ScreenConnect in a multi-stage phishing operation that combines social engineering, living-off-the-land techniques, and stealthy malware delivery.

Sophos’ Managed Detection and Response (MDR) teams first identified this activity in April 2025, with the majority of malicious actions occurring between October and November 2025. More than 80 organizations across various sectors in the US were affected.

The core aim of the campaign was to trick users into installing pre-configured RMM agents, granting attackers persistent, unattended remote access. Crucially, the initial stage rarely involved dropping traditional malware.

Sophos tracks this threat cluster as STAC6405, with evidence suggesting active infrastructure, indicating ongoing operations.

Red Canary and Zscaler previously documented similar invitation-themed phishing campaigns distributing RMM tools, findings largely corroborated by Sophos. Like these earlier attacks, STAC6405 demonstrates a clear shift towards leveraging legitimate IT tools for establishing and maintaining attacker footholds.

Phishing lures and delivery

The attackers primarily used themed phishing emails with links to compromised or attacker-controlled distribution sites. Messages could come from compromised trusted partners or unknown senders. Themes ranged from Punchbowl event invitations (e.g., “SPECIAL INVITATION”) to tender or bid invitations.

These sites delivered pre-configured installers for LogMeIn Resolve or ScreenConnect designed to silently enroll the victim device into an attacker-controlled account upon execution.

Attackers initially used subdomains under a .ru[.]com-style domain, later rotating to domains like mastorpasstop[.]top, evitereview[.]de, and evitesecured[.]top. Some incorporated “evite” branding matching the invitation theme.

A Norton-themed distribution website (Source : SOPHOS).
A Norton-themed distribution website (Source : SOPHOS).

Landing pages often mimicked Microsoft Teams or Norton branding, suggesting active theme tweaking to enhance lure credibility or evade simple pattern-based detections.

Similar to earlier operations, Sophos observed sites dynamically redirecting based on user-agent strings and serving error pages to non-Windows/non-Android devices. However, Sophos retrieved ScreenConnect installers from this ecosystem without observing blocking behavior.

Upon running the downloaded binary (e.g., Invitation.exe, ContractAgreementToSign.exe, or SPCL_INVITE_RSVP_2025.exe), LogMeIn Resolve silently installs and enrolls the endpoint into the attacker-controlled tenant. The agent creates a configuration file with a hard-coded relay domain and registers a dedicated Windows service using a unique UID linked to that configuration, distinct from any pre-existing RMM deployments.

Following execution of the downloaded binary, LogMeIn Resolve is installed (Source : SOPHOS).
Following execution of the downloaded binary, LogMeIn Resolve is installed (Source : SOPHOS).

In most cases, malicious activity ceased after this initial access step, consistent with initial access broker (IAB) operations where attackers establish persistent access, “park” the foothold for monitoring or sale, or monitor detection.

In one incident, attackers escalated within less than an hour of LogMeIn Resolve installation. They used a pre-existing ScreenConnect installation to pull down a HeartCrypt-packed ZIP archive (8776_6713_exe.zip) containing HideMouse.exe and 8776_6713.exe.

HideMouse.exe replaces the visible mouse cursor with a transparent one, obscuring on-screen activity during remote sessions. The 8776_6713.exe executable is assessed as a malicious infostealer. This malware injects its payload into a legitimate game binary using HeartCrypt’s code-injection capabilities.

The malware uses tight loop-based delays (common sandbox evasion) for roughly four to nine minutes before injecting into csc.exe (a known LOLBin). It then connects to C2 at 45[.]56.162.138, decrypts an embedded payload using TripleDES, exhibiting behavior similar to ValleyRAT loaders.

Post-compromise activities include harvesting browser-stored credentials and session data, targeting cryptocurrency wallets, enumerating host information via WMI, and querying security products using WMI ExecQuery against AntiVirusProduct.

Alternate path: Bundled RMM chain

In another instance, the initial payload was a ScreenConnect-based installer (invite.exe) configured to join a session via relay[.]aceheritagehouse[.]top:8041 and grant interactive access. Beyond launching ScreenConnect as a service, the binary started a Java-based remote access stack (RemoteAccess.jar and jwrapper_utils.jar) within a bundled JRE, then enumerated firewall rules and abused SimpleService.exe from JWrapper to register its own service (simplegateway.service) and execute Remote Access.exe.

This secondary binary is believed linked to SimpleHelp, another legitimate RMM solution, and further invoked jwrapper.JWrapper with remoteaccess‑jar‑with‑dependencies.jar and supporting libraries to expand remote access options.

Defenders managed to contain this incident in coordination with the impacted customer before attackers escalated further.

The STAC6405 campaign underscores the increasing abuse of trusted third-party services—including email accounts and commercial RMM platforms—to bootstrap access and persistence with minimal malware use. For defenders, this reinforces the need to treat RMM deployments and configuration changes as high-value events, enforce strict allow-lists for remote tools, and scrutinize even legitimate-looking invitation-themed attachments or executables.

Related Articles

Back to top button