STAC6405

STAC6405 is a threat activity cluster tracked by Sophos. Sophos reported that this cluster conducted a phishing campaign beginning as early as April 2025, with most observed activity in October and November 2025, affecting more than 80 organizations across multiple sectors, predominantly in the United States. The campaign used invitation-themed phishing lures, including Punchbowl-style invitations and tender solicitation themes, with emails sent both from compromised trusted third-party accounts and from unknown senders. The cluster abused legitimate remote monitoring and management tools for initial access, primarily LogMeIn Resolve and in some cases ScreenConnect. Phishing emails linked to attacker-controlled distribution sites hosting legitimate LogMeIn Resolve installers preconfigured to register victim devices to attacker-controlled accounts. Sophos observed rotating infrastructure and themed landing pages, including Microsoft Teams- and Norton-themed branding, and domains including mastorpasstop[.]top, evitereview[.]de, evitesecured[.]top, and .ru[.]com infrastructure. Observed installer names included Invitation.exe, ContractAgreementToSign.exe, Diverse-Build-Solution.exe, invt-list2025.exe, SPCL_INVITE_RSVP_2025.exe, and statmts_PDF-10.25.exe. After execution, the attackers obtained unattended remote access through LogMeIn Resolve; the agent wrote a configuration file with a hard-coded attacker-controlled relay domain and registered a Windows service with a unique UID. In most observed cases, activity stopped after the RMM tool was installed. Sophos assessed this pattern as consistent with possible initial access brokerage, dormant persistence, or victim research prior to follow-on action. In two observed incidents, STAC6405 conducted second-stage activity. In one case, the actor used a pre-existing ScreenConnect installation to download 8776_6713_exe.zip, packed with HeartCrypt. The archive contained HideMouse.exe, which replaced the cursor with a transparent one to conceal remote activity, and 8776_6713.exe, an infostealer Sophos assessed as behaviorally similar to ValleyRAT. The malware delayed execution for roughly four to nine minutes, injected into csc.exe, decrypted an embedded payload at runtime using TripleDES, connected to 45[.]56.162.138, and harvested browser credentials, session artifacts, cryptocurrency wallet data, host information, security product information via WMI, and imaging and camera device information. In another incident, a downloaded binary named invite.exe installed ScreenConnect configured to connect to relay[.]aceheritagehouse[.]top:8041 as a Guest client, launched Java-based components RemoteAccess.jar and jwrapper_utils.jar inside a bundled JRE, enumerated firewall rules, abused JWrapper SimpleService.exe to register simplegateway.service, and executed Remote Access.exe, which Sophos assessed as related to SimpleHelp. Sophos and the affected customer contained that intrusion before further action occurred. No nation-state attribution is stated in the provided content. No aliases or sub-groups are provided beyond the Sophos tracking name STAC6405.