LogMeIn
LogMeIn is a legitimate remote access and remote monitoring/management (RMM) tool that has been observed abused by threat actors to establish persistent access on compromised systems. The provided content links LogMeIn to multiple intrusion sets and campaigns rather than describing it as a standalone malware family. It was observed alongside TeamViewer in the May 2022 Cisco intrusion, where an actor assessed with moderate-to-high confidence as an initial access broker tied to UNC2447 and Lapsus$ deployed remote access tools including LogMeIn after gaining VPN access through a compromised employee account, vishing, and MFA fatigue. The content also states that Scattered Spider members deploy RMM software including LogMeIn to establish persistence on compromised networks, often after impersonating IT or help desk personnel and inducing victims to run commercial RMM tools. In the “Skeleton Key” campaign analyzed by KnowBe4 Threat Labs, attackers used Greenvelope-themed phishing emails and spoofed login pages to harvest credentials, generated legitimate RMM access tokens, and executed GreenVelopeCard.exe to inject LogMeIn and GoTo Resolve in order to evade signature-based detection. That campaign used registry manipulation, Windows service abuse, hidden scheduled tasks, and encrypted HTTPS communications to official GoTo infrastructure to maintain stealth and persistence. Additional reporting cited victims being prompted to download RMM tools such as LogMeIn, AnyDesk, or ScreenConnect to grant attackers persistent access. High-confidence indicators and artifacts directly mentioned in the content include the file name GreenVelopeCard.exe and use of GoTo/GoTo Resolve infrastructure such as console[.]gotoresolve[.]com and devices-iot[.]console[.]gotoresolve[.]com in the related Skeleton Key activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn."
"We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn."
"We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn."
In many cases, victims were prompted to download remote monitoring and management tools such as LogMeIn, AnyDesk or ScreenConnect, giving attackers persistent access to compromised systems.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“Operation DoppelBrand… using cloned banking and technology portals to steal credentials… The phishing sites closely replicated legitimate login pages…”
Execution
2 techniques“VBS loader scripts (3-6KB) that download MSI installers (21-25MB)… VBS script checks for administrator privileges… Downloads legitimate LogMeIn/AnyDesk/ScreenConnect installer”
"To proceed, victims must download and execute a provided ‘update’ before being allowed to join."
Stealth
3 techniquesPayload: The executable is not custom malware but a "Potentially Unwanted Program" (PUP) — a legitimate, signed version of GoTo Resolve (formerly LogMeIn) remote access software. Execution: By abusing this "Living Off the Land" (LotL) tool, the attacker bypasses most signature-based antivirus detections.
Defense Impairment
1 technique"The payload, disguised as a software update, is a digitally signed remote monitoring and management (RMM) tool..."
Lateral Movement
1 technique“The group has also abused remote access tools like AnyDesk and LogMeIn to maintain their access to victim networks and blend in with administrator activity.”
Command and Control
2 techniquesThis leads the user to download a file disguised as a document or statement (e.g., Statements05122025.exe, Invoice06092025.exe.bin).
Remote Access Software [T1219]: Ransomware threat actors will use legitimate software to maintain an interactive session on victim systems. Common tools observed in Q3 were AnyDesk, TeamViewer, LogMeIn and TightVNC.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate RMM tool abused for persistence and remote control after phishing-driven initial access.
A legitimate remote monitoring and management tool abused by threat actors for persistent remote access and defense evasion in the described campaign.
Legitimate RMM tool referenced as being deployed/abused in the campaign to provide remote access to victim systems after credential compromise.
Legitimate remote administration software abused for persistent remote access and operator control post-compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.