Phishing Campaigns Abuse Legitimate Monitoring and Remote-Access Tools for Stealthy Takeover
Security researchers reported multiple phishing campaigns that impersonate trusted brands to trick users into installing legitimate enterprise software repurposed for surveillance and remote control. One campaign uses fake Zoom and Google Meet “meeting room” pages that simulate a waiting room experience (participant names, audio cues, and a persistent “network issue” message) and then pressure victims with a forced “update required” download via a countdown timer. After execution, a modified Teramind agent is installed in stealth mode (no visible icons/notifications), enabling extensive monitoring such as keystroke capture, screenshots, browsing history, and clipboard collection.
A separate campaign targets cryptocurrency users by impersonating the Yoroi Desktop Wallet and advertising a “security upgrade” via a polished landing page hosted on a recently registered domain (hxxps://download[.]v1desktop-yoroiwallet[.]com/). The download chain redirects to a file-sharing service and delivers an MSI (YoroiDesktop-installer.msi) that does not install a wallet; instead it installs GoTo Resolve (LogMeIn) in unattended mode for silent remote access. Reported artifacts include YoroiDesktop-installer.msi (hash 8634AD3C6488D6A27719C5341E91EEB9) and unattended-updater.exe (hash 2A2D9B03AA6185F434568F5F4C42BF49), along with configuration values indicating enrollment into a preconfigured remote-access fleet (e.g., CompanyId: 5504330483880245799, FleetTemplateName: syn-prd-ava-unattended).
Related Entities
Organizations
Affected Products
Sources
Related Stories
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
2 weeks ago
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
3 weeks ago
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
5 days ago