Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In Operation DoppelBrand, financially motivated actor GS7 spoofed Fortune 500 financial and technology brands (including Wells Fargo and USAA) using more than 150 lookalike domains to harvest credentials and exfiltrate data via attacker-controlled Telegram bots; researchers also identified nearly 200 additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign.
Separately, Forcepoint X-Labs described a wave of emails impersonating the U.S. Social Security Administration that delivers an attached .cmd script to weaken Windows defenses and enable silent installation of ConnectWise ScreenConnect. The script checks/elevates privileges, disables Windows SmartScreen via registry changes, removes Mark-of-the-Web, and uses Alternate Data Streams (ADS) for stealth before installing an MSI and configuring ScreenConnect (via System.config) to beacon to an attacker-controlled server (reported as dof-connecttop on port 8041). Both activity sets highlight a recurring tradecraft pattern: brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling (e.g., LogMeIn Resolve, ScreenConnect) to gain remote control and facilitate follow-on theft or persistence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SOCRadar attributes Doppelbrand to threat actor GS7
SOCRadar attributed Operation Doppelbrand to a financially motivated threat actor tracked as GS7 and assessed the campaign's automated infrastructure, brand impersonation, and RMM abuse as especially dangerous. The findings were publicly reported after the campaign's December 2025 to January 2026 activity window.
Researchers link ScreenConnect campaign to Iranian network infrastructure
Analysis of the ScreenConnect campaign found the installed client configured to call back on port 8041 to infrastructure associated with the Aria Shatel Company Ltd network in Iran. Researchers also noted use of ScreenConnect version 25.2.4.9229 signed with a revoked certificate.
Forcepoint observes ScreenConnect phishing campaign using SSA lures
Forcepoint X-Labs reported a wave of attacks targeting organizations in the UK, US, Canada, and Northern Ireland with phishing emails impersonating the U.S. Social Security Administration. The emails carried malicious .cmd attachments that weakened Windows protections, disabled SmartScreen, removed Mark-of-the-Web protections, and then installed ConnectWise ScreenConnect for persistent remote access.
Attackers run Doppelbrand through January with broad phishing infrastructure
Through January 2026, the Doppelbrand campaign continued using more than 150 lookalike domains and delivered legitimate RMM tools such as LogMeIn Resolve, along with MSI installers and VBS loaders for stealthy installation, privilege escalation, and persistence. Researchers later identified roughly 200 additional related domains sharing common registration and DNS patterns.
Operation Doppelbrand begins spoofing Fortune 500 brands
A phishing campaign later dubbed Operation Doppelbrand began in December 2025, impersonating major financial, technology, and insurance brands including Wells Fargo and USAA. The operation used lookalike domains to harvest credentials and exfiltrate stolen data through attacker-controlled Telegram bots.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Invitation-Themed Phishing Installs Legitimate RMM Tools for Persistent Access
Sophos X-Ops reported that a phishing campaign tracked as **STAC6405** used invitation-themed lures to trick targets into installing legitimate remote monitoring and management tools, including **LogMeIn Resolve** and **ScreenConnect**, giving attackers unattended remote access. The activity was first observed in April 2025, peaked in October and November 2025, and affected more than 80 organizations, primarily in the United States. Sophos said some phishing links were still active at the time of reporting, indicating the campaign may still be ongoing. In most intrusions, the attackers stopped after establishing remote access, suggesting the operation may support initial access brokerage or maintain dormant persistence for later use. In two cases, however, the compromise advanced to second-stage activity: one intrusion deployed a **HeartCrypt**-packed infostealer that hid the mouse cursor, injected into `csc.exe`, contacted `45[.]56.162.138`, and stole browser, wallet, and system data; another used a ScreenConnect-based payload bundled with Java components and a likely **SimpleHelp**-related remote access binary to obtain interactive access before defenders contained the incident.
May 25, 2026
Phishing Campaigns Abuse Digital Invites and Fake Meeting Pages to Steal Credentials and Deploy RMM Tools
Threat actors are abusing the familiarity of **digital invitation and meeting platforms** to increase phishing success rates. Cofense reported malicious *Punchbowl/Paperless Post*-themed invitations that prompt recipients to “log in to view event details,” then redirect to phishing infrastructure offering branded sign-in options (e.g., **Microsoft, Yahoo, AOL, Google, Dropbox**) to harvest credentials. The phishing flow may solicit multiple credential sets by returning fake login errors and urging users to try alternate accounts; submitted credentials are exfiltrated to attacker-controlled domains, often leveraging newly registered domains to evade reputation-based defenses. Separately, Netskope research (reported by KnowBe4) described **fake video meeting invites** for *Zoom, Microsoft Teams, Google Meet,* and similar services that lead to spoofed “join meeting” pages showing purported coworkers already on the call. Victims are instructed to install a required “update” to join; the payload is a **digitally signed remote monitoring and management (RMM) tool** such as *Datto RMM, LogMeIn,* or *ScreenConnect*, enabling remote access and potential follow-on activity including data theft or deployment of additional malware. The use of legitimate, signed RMM software can blend into normal enterprise traffic and may bypass controls where such tools are pre-approved.
Mar 26, 2026
Federal Employees Hit by Phishing Campaign Abusing ScreenConnect and AnyDesk
CISA, the NSA, and MS-ISAC warned that a financially motivated phishing campaign targeted U.S. federal civilian executive branch personnel by abusing legitimate remote monitoring and management tools, notably **ScreenConnect** and **AnyDesk**. Help desk-themed phishing emails and typosquatted domains impersonating brands including Norton, Geek Squad, Amazon, Microsoft, McAfee, and PayPal lured victims into downloading portable RMM executables that often required no installation or administrator privileges, giving attackers remote access to victim systems. The attackers used that access to run **refund scams**, manipulating victims’ online bank account views and convincing them to send money back to the fraudsters. The agencies said the same foothold could also support persistence, command and control, lateral movement, or resale of access to other criminal or state-linked actors, and urged defenders to review indicators of compromise, audit RMM usage, monitor execution of portable binaries, restrict remote access pathways, block common RMM ports, and strengthen phishing defenses and user awareness. ConnectWise said legitimate software can be misused by threat actors and that it pursues takedowns of malicious sites when notified.
May 29, 2026