Cybersecurity researchers have uncovered a dual-vector phishing campaign that steals credentials through fake invitations, then uses those credentials to deploy legitimate Remote Monitoring and Management (RMM) software as a persistent backdoor into compromised systems.
What happened
The attack operates in two waves, targeting victims through deceptive email communications. Threat actors send bogus emails disguised as invitations from Greenvelope, a legitimate platform, containing phishing URLs designed to harvest Microsoft Outlook, Yahoo!, and AOL.com login credentials. Once credentials are stolen, attackers register with LogMeIn using the compromised email addresses to generate RMM access tokens. These tokens are then deployed through an executable file named "GreenVelopeCard.exe" to establish persistent remote access. The binary, signed with a valid certificate, contains a JSON configuration that silently installs LogMeIn Resolve (formerly GoTo Resolve) and connects to attacker-controlled URLs without victim knowledge. After deployment, attackers modify service settings to run with unrestricted Windows access and establish hidden scheduled tasks that automatically relaunch the RMM program even if users manually terminate it.
Going deeper
The attack involves the following process:
- Threat actors bypass security perimeters by weaponizing trusted IT tools rather than deploying custom malware
- The executable uses valid digital signatures to avoid detection
- JSON configuration files enable silent installation without user interaction
- Service modifications grant unrestricted Windows access privileges
- Hidden scheduled tasks ensure persistence even after manual termination attempts
- Attackers effectively turn legitimate RMM software into a persistent backdoor by stealing what researchers call a "skeleton key" to the system.
What was said
According to cybersecurity researchers, "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust."
They further explained, "By stealing a 'skeleton key' to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor."
According to a Paubox report on healthcare email security, Amy Larson DeCarlo, Principal Analyst at Global Data, noted that "cybercriminals are exploiting the biggest vulnerability within any organisation: humans." She added, "As progress in artificial intelligence (AI) and analytics continues to advance, hackers will find more inventive and effective ways to capitalise on human weakness in areas of (mis)trust, the desire for expediency, and convenient rewards."
Andrew Hicks, Partner and National HITRUST Practice Lead at Frazier & Dieter Advisory, LLC, stated in the same report that organizations "rely on infosec policies, user training, or manually enforced controls—rather than implementing automated, policy-driven email encryption solutions." He warned that "this overreliance on human-dependent safeguards introduces unnecessary risk and undermines the integrity of outbound email protection strategies."
In the know
Remote Monitoring and Management (RMM) software represents legitimate IT tools that administrators use to remotely manage, monitor, and maintain computer systems and networks. These tools provide system access and control capabilities, making them valuable for IT operations but also attractive targets for abuse by threat actors. When compromised or weaponized, RMM tools can provide attackers with the same privileged access that legitimate administrators possess, allowing them to control systems, execute commands, and maintain persistence without deploying traditional malware that security software might detect.
Why it matters
By weaponizing RMM tools that organizations already trust and use, attackers can bypass traditional security that focuses on blocking malicious software. The dual-vector approach makes detection harder because the RMM software itself is legitimate and commonly used in enterprise environments. Organizations that rely on RMM tools for legitimate IT operations now face the challenge of distinguishing between authorized and malicious usage of the same software. The persistence mechanisms employed mean that even if victims detect unusual activity, the threat can automatically restore itself, requiring more remediation. The attack also shows the vulnerability of human-dependent security controls, as the entire compromise chain begins with users falling for credential-harvesting phishing emails.
The bottom line
Organizations must implement monitoring systems to detect unauthorized RMM installations and unusual usage patterns. Simply blocking RMM tools isn't practical since they serve legitimate business functions, making behavioral monitoring and credential protection essential defenses against this type of attack.
Read also: Inbound Email Security
FAQs
Could this attack chain be adapted to other RMM platforms besides LogMeIn?
Yes, similar credential-driven techniques could be used to abuse other RMM tools that allow silent installation and token-based access.
How difficult would it be for attackers to automate this type of campaign at scale?
Once phishing infrastructure and token generation are in place, attacks can be automated.
Are small and mid-sized organizations more at risk than large enterprises?
Smaller organizations often have fewer monitoring controls for RMM abuse, making them attractive targets.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
