Invitation-Themed Phishing Installs Legitimate RMM Tools for Persistent Access
Sophos X-Ops reported that a phishing campaign tracked as STAC6405 used invitation-themed lures to trick targets into installing legitimate remote monitoring and management tools, including LogMeIn Resolve and ScreenConnect, giving attackers unattended remote access. The activity was first observed in April 2025, peaked in October and November 2025, and affected more than 80 organizations, primarily in the United States. Sophos said some phishing links were still active at the time of reporting, indicating the campaign may still be ongoing.
In most intrusions, the attackers stopped after establishing remote access, suggesting the operation may support initial access brokerage or maintain dormant persistence for later use. In two cases, however, the compromise advanced to second-stage activity: one intrusion deployed a HeartCrypt-packed infostealer that hid the mouse cursor, injected into csc.exe, contacted 45[.]56.162.138, and stole browser, wallet, and system data; another used a ScreenConnect-based payload bundled with Java components and a likely SimpleHelp-related remote access binary to obtain interactive access before defenders contained the incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Sophos reports campaign remains potentially ongoing
At the time of Sophos reporting, some phishing links tied to STAC6405 were still active, indicating the campaign may still have been ongoing. In most observed cases, the attackers stopped after establishing remote access, suggesting possible initial access brokerage or dormant persistence.
STAC6405 campaign reaches peak activity
The phishing campaign was most active during October and November 2025. Sophos said the activity ultimately affected more than 80 organizations, primarily in the United States.
Another intrusion uses ScreenConnect-based payload for interactive access
In a separate incident, the attackers used a ScreenConnect-based payload bundled with Java components and a likely SimpleHelp-related remote access binary to gain interactive access. The customer contained the intrusion before further activity was described.
Attackers deploy HeartCrypt-packed infostealer in one follow-on intrusion
In one incident following initial remote access, the attackers quickly moved to second-stage activity by deploying a HeartCrypt-packed infostealer. The malware hid the mouse cursor, injected into csc.exe, contacted 45.56.162.138, and stole browser, wallet, and system data.
STAC6405 phishing campaign first observed
Sophos X-Ops first saw evidence of the invitation-themed phishing campaign tracked as STAC6405 in April 2025. The lures were used to trick targets into installing legitimate remote monitoring and management tools for attacker-controlled unattended access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Incident responders, s'il vous plait: Invites lead to odd malware events | SOPHOS
sophos.com
Open sourceZoom phishing: Fake SSA alerts & ConnectWise ScreenConnect abuse
kaseya.com
Open sourceRogue RMMs: RMM Abuse Has a New GoTo
blackpointcyber.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
Mar 21, 2026
Phishing Campaigns Abuse Digital Invites and Fake Meeting Pages to Steal Credentials and Deploy RMM Tools
Threat actors are abusing the familiarity of **digital invitation and meeting platforms** to increase phishing success rates. Cofense reported malicious *Punchbowl/Paperless Post*-themed invitations that prompt recipients to “log in to view event details,” then redirect to phishing infrastructure offering branded sign-in options (e.g., **Microsoft, Yahoo, AOL, Google, Dropbox**) to harvest credentials. The phishing flow may solicit multiple credential sets by returning fake login errors and urging users to try alternate accounts; submitted credentials are exfiltrated to attacker-controlled domains, often leveraging newly registered domains to evade reputation-based defenses. Separately, Netskope research (reported by KnowBe4) described **fake video meeting invites** for *Zoom, Microsoft Teams, Google Meet,* and similar services that lead to spoofed “join meeting” pages showing purported coworkers already on the call. Victims are instructed to install a required “update” to join; the payload is a **digitally signed remote monitoring and management (RMM) tool** such as *Datto RMM, LogMeIn,* or *ScreenConnect*, enabling remote access and potential follow-on activity including data theft or deployment of additional malware. The use of legitimate, signed RMM software can blend into normal enterprise traffic and may bypass controls where such tools are pre-approved.
Mar 26, 2026
Threat actors abuse shortcut files and legitimate RMM tools to gain persistent access to Windows systems
Threat actors are increasingly relying on *living-off-the-land* techniques and trusted tooling to establish persistent access on Windows endpoints. One campaign used weaponized Windows shortcut (`.LNK`) files disguised as investment-related PDFs to deliver **MoonPeak**, a remote access trojan assessed as a **XenoRAT** variant and linked to North Korea–aligned activity targeting South Korean investors and cryptocurrency traders. Opening the `.LNK` launches an obfuscated PowerShell-driven, multi-stage infection chain while displaying a decoy PDF; analysis also tied payload hosting to attacker-controlled GitHub repositories, reflecting “Living Off Trusted Sites (LOTS)” tradecraft. A separate dual-wave intrusion chain used phishing emails masquerading as *Greenvelope* invitations to steal webmail credentials (e.g., Outlook, Yahoo, AOL), then used the compromised accounts to register for and silently deploy **LogMeIn Resolve** (formerly *GoTo Resolve*) for persistent remote access. The installer (`GreenVelopeCard.exe`) was described as signed and configured to connect to attacker-controlled infrastructure, with follow-on actions including modifying service settings for elevated access and creating hidden scheduled tasks for resilience. Related threat intelligence reporting also highlighted broader “rogue RMM” abuse trends, including **Remcos** and **NetSupport Manager** delivery via paste-and-run lures and PowerShell/`cmd` execution chains (including use of the `finger` utility to fetch remote payloads), underscoring that adversaries are operationalizing legitimate remote administration software as a stealthy backdoor mechanism.
Mar 21, 2026