Threat actors are actively abusing legitimate remote monitoring and management (RMM) tools such as LogMeIn Resolve and ScreenConnect in a sophisticated multi-stage phishing campaign that blends social engineering, living-off-the-land techniques, and stealthy malware deployment.
First observed by Sophos MDR teams in April 2025, the campaign tracked as STAC6405 peaked between October and November 2025 and has impacted more than 80 organizations, primarily in the United States. Unlike traditional attacks, the campaign focuses on tricking users into installing pre-configured RMM agents, granting attackers persistent, unattended remote access without immediately deploying conventional malware.
The attack begins with phishing emails themed around invitations or business proposals, often impersonating trusted platforms like Microsoft Teams. Victims are redirected to malicious websites hosting legitimate RMM installers that are silently configured to connect to attacker-controlled environments. Once executed, these tools register the compromised device and establish a persistent foothold.
In many cases, attackers pause activity after initial access suggesting involvement of Initial Access Brokers (IABs), who later sell access on underground markets. However, in some instances, rapid second-stage activity was observed. Attackers leveraged existing remote access tools to deploy malware, including infostealers concealed using advanced packing techniques and injected into trusted system processes.
The malware employs multiple evasion tactics, such as delayed execution and abusing legitimate system binaries, before initiating communication with command-and-control infrastructure. Post-compromise actions include harvesting browser credentials, accessing cryptocurrency wallets, and enumerating system and security data.
An alternate infection chain involved bundling multiple RMM tools and Java-based remote access frameworks, enabling attackers to expand control across compromised environments. This highlights a growing trend of chaining legitimate tools together to deepen persistence while avoiding detection.
This campaign underscores a critical shift in cyberattack strategies leveraging trusted enterprise tools instead of traditional malware to bypass defenses. Security experts recommend treating any unauthorized RMM deployment as a high-risk event, enforcing strict allowlists, and closely scrutinizing invite-based emails or executable attachments, even when they appear to originate from known sources.
Recommended Cyber Technology News :
- KELA Reports 200 Percent Rise in Cybercriminals Using AI
- F5 BIG-IP APM Vulnerability Exposes Thousands to RCE
- Qilin Hackers Breach Die Linke Systems in Germany
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
