Social-engineering campaigns abusing legitimate remote access tools (ScreenConnect and RustDesk)
Two separate social-engineering campaigns are abusing legitimate remote access software to obtain interactive control of victim systems. One phishing operation uses fake party invitation emails—often appearing to come from compromised email accounts—to lure recipients to a spoofed invitation webpage that pressures them to download and run an RSVPPartyInvitationCard.msi installer. Malwarebytes researchers reported the activity primarily targeting the UK, with the MSI using msiexec.exe to silently install the ScreenConnect remote support client, enabling attackers to access files, credentials, and other sensitive data.
A different, automated campaign is targeting RustDesk users by bombarding exposed RustDesk IDs with unsolicited connection requests labeled “Go Client” from many IPs/IDs. The activity is described as not exploiting a RustDesk vulnerability; instead it relies on users mistakenly clicking Accept, after which the botnet can run scripted actions to deploy additional malware and establish persistence. Recommended mitigations include refusing unexpected connection prompts and configuring RustDesk to require a password (and strong credentials) for session acceptance, reducing the risk of one-click authorization leading to takeover.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Spanish-language invoice campaign abuses ScreenConnect installers
By 2026-03-12, researchers documented an active campaign using Spanish- and English-language invoice lures to install legitimately signed ConnectWise ScreenConnect clients configured for attacker-controlled relays, giving persistent unattended access. The report identified live infrastructure on 80.76.49[.]161 and described an obfuscated VBS dropper that elevated privileges, downloaded the MSI, installed it silently, and removed the installer.
RustDesk warns users to harden remote-access settings
As the RustDesk connection-flooding campaign was reported, the RustDesk team recommended requiring passwords for incoming connections, using strong passwords, and considering self-hosting with protected server details. Additional mitigations included ACLs in the Professional self-hosted edition, 2FA, and IP whitelisting to restrict access to trusted sources.
Fake party-invitation campaign deploys ScreenConnect in the UK
A phishing campaign used fake party-invitation emails, often sent from compromised accounts, to trick recipients into downloading an MSI that silently installed the legitimate ScreenConnect remote access client. Malwarebytes reported the activity as primarily targeting users in the United Kingdom, giving attackers persistent remote control over infected Windows systems.
Automated botnet campaign begins targeting RustDesk IDs
In late January 2026, attackers launched an opportunistic botnet-driven campaign that scanned for active RustDesk IDs and sent unsolicited connection requests from many IP addresses and identifiers. The activity relied on social engineering rather than a software vulnerability, attempting to trick users into accepting a connection from a client labeled "Go Client."
STAC6405 begins phishing campaign using LogMeIn Resolve and ScreenConnect
Beginning as early as April 2025, Sophos says threat cluster STAC6405 targeted more than 80 organizations across multiple U.S. sectors with phishing lures such as Punchbowl invitations and tender solicitations. The attackers delivered legitimate RMM tools, primarily LogMeIn Resolve and sometimes ScreenConnect, preconfigured for attacker-controlled remote access to establish persistent initial access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Threat Actors Abuse LogMeIn Resolve and ScreenConnect in Multi-Stage Phishing Attacks
cybersecuritynews.com
Open sourceThe ScreenConnect Epidemic: Inside a Live Spanish-Language Invoice Campaign With a Panel Still Serving Payloads - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceScreenConnect RMM Abuse: 25+ Weaponized Installers, Amadey Loader Delivery, and 4 OVH Relay Servers Mapped in One-Week Campaign Surge - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceBeware of Malicious Party Invitations that Tricks Users into Installing Remote Access Tools
cybersecuritynews.com
Open sourceThe "Go Client" Trap: Why Your RustDesk ID is Currently Under Automated Botnet Siege
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
Mar 21, 2026
Invitation-Themed Phishing Installs Legitimate RMM Tools for Persistent Access
Sophos X-Ops reported that a phishing campaign tracked as **STAC6405** used invitation-themed lures to trick targets into installing legitimate remote monitoring and management tools, including **LogMeIn Resolve** and **ScreenConnect**, giving attackers unattended remote access. The activity was first observed in April 2025, peaked in October and November 2025, and affected more than 80 organizations, primarily in the United States. Sophos said some phishing links were still active at the time of reporting, indicating the campaign may still be ongoing. In most intrusions, the attackers stopped after establishing remote access, suggesting the operation may support initial access brokerage or maintain dormant persistence for later use. In two cases, however, the compromise advanced to second-stage activity: one intrusion deployed a **HeartCrypt**-packed infostealer that hid the mouse cursor, injected into `csc.exe`, contacted `45[.]56.162.138`, and stole browser, wallet, and system data; another used a ScreenConnect-based payload bundled with Java components and a likely **SimpleHelp**-related remote access binary to obtain interactive access before defenders contained the incident.
May 25, 2026
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
Mar 21, 2026