Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites
Summary:
A persistent, highly active threat actor, known for initially leveraging the ScreenConnect RMM software, has modified its tactics. The group is now infecting victim systems with multiple RMM tools, including LogMeIn Resolve, Naverisk, SimpleHelp, PDQ, and Atera, often installing them sequentially and long after the initial breach is successful. Symantec initially noticed the change in tactics in June 2025, when the adversary began employing SimpleHelp in attacks. In October 2025, the attackers were mainly observed deploying LogMeIn Resolve and Naverisk in addition to ScreenConnect. The campaign, active since at least April 2025, consistently starts with phishing emails using diverse lures like holiday party invites, invoices, or Zoom meeting links. These emails contain malicious URLs linking to setup executables or MSI installers. Once one of the primary RMMs (initially ScreenConnect, but now also others like LogMeIn Resolve) is installed, it is used to deploy a secondary toolset designed for post-exploitation. This varied toolset frequently includes tools like HideMouse.exe (to obscure mouse cursor movement), WebBrowserPassView (for browser credential harvesting), and Defender Control (to disable Windows Defender protections). The motivation for deploying multiple RMMs is unclear, but possibilities include increasing network dwell time to maximize returns, creating redundancy for persistent access, or potentially needing to rotate tools due to the use of trial licenses.
Security Officer Comments:
The shift from ScreenConnect to multi-RMM deployment signifies a concerning move towards increased redundancy and resilience in the threat actor's operations. The deliberate, staggered installation of these legitimate administrative tools suggests a calculated effort to mask persistent access and bypass defenses by avoiding reliance on a single, popularly abused RMM software. The consistent deployment of credential harvesting and publicly available security disabling tools underscores their primary objective once initial access is achieved, regardless of which RMM tool facilitates the initial foothold.
Suggested Corrections:
As organizations adjust to increased remote connections to corporate resources, they must do so securely. Within O.T. environments and critical infrastructure, this is critically important as operators and engineers will require secure remote access to industrial assets in order to ensure process availability and safety. Security practitioners are encouraged to do the following:
https://www.security.com/threat-intelligence/rmm-logmein-attacks
A persistent, highly active threat actor, known for initially leveraging the ScreenConnect RMM software, has modified its tactics. The group is now infecting victim systems with multiple RMM tools, including LogMeIn Resolve, Naverisk, SimpleHelp, PDQ, and Atera, often installing them sequentially and long after the initial breach is successful. Symantec initially noticed the change in tactics in June 2025, when the adversary began employing SimpleHelp in attacks. In October 2025, the attackers were mainly observed deploying LogMeIn Resolve and Naverisk in addition to ScreenConnect. The campaign, active since at least April 2025, consistently starts with phishing emails using diverse lures like holiday party invites, invoices, or Zoom meeting links. These emails contain malicious URLs linking to setup executables or MSI installers. Once one of the primary RMMs (initially ScreenConnect, but now also others like LogMeIn Resolve) is installed, it is used to deploy a secondary toolset designed for post-exploitation. This varied toolset frequently includes tools like HideMouse.exe (to obscure mouse cursor movement), WebBrowserPassView (for browser credential harvesting), and Defender Control (to disable Windows Defender protections). The motivation for deploying multiple RMMs is unclear, but possibilities include increasing network dwell time to maximize returns, creating redundancy for persistent access, or potentially needing to rotate tools due to the use of trial licenses.
Security Officer Comments:
The shift from ScreenConnect to multi-RMM deployment signifies a concerning move towards increased redundancy and resilience in the threat actor's operations. The deliberate, staggered installation of these legitimate administrative tools suggests a calculated effort to mask persistent access and bypass defenses by avoiding reliance on a single, popularly abused RMM software. The consistent deployment of credential harvesting and publicly available security disabling tools underscores their primary objective once initial access is achieved, regardless of which RMM tool facilitates the initial foothold.
Suggested Corrections:
As organizations adjust to increased remote connections to corporate resources, they must do so securely. Within O.T. environments and critical infrastructure, this is critically important as operators and engineers will require secure remote access to industrial assets in order to ensure process availability and safety. Security practitioners are encouraged to do the following:
- Verify VPN versions are patched and up to current versions
- Monitor remote connections, particularly those to OT networks and ICS devices
- Enforce granular user-access permissions and administrative controls
- Enforce multi-factor authentication
https://www.security.com/threat-intelligence/rmm-logmein-attacks