Phishing campaign deploys specialized tools to access 80+ organizations

Attackers sent phishing emails disguised as event invitations and tender notices to trick recipients into installing remote monitoring software that handed attackers undetected access to their systems without deploying any traditional malware. The attack led to an infiltration across over 80 organizations.

What happened

Security researchers have documented a phishing campaign targeting organizations across the United States that weaponized legitimate remote monitoring and management (RMM) tools, specifically LogMeIn Resolve and ScreenConnect, to establish unauthorized access to victim systems. According to CyberSecurityNews, the campaign began as early as April 2025, with the bulk of activity concentrated between October and November of the same year. More than 80 organizations across multiple industry sectors were affected. Attackers sent phishing emails from two sources: some from compromised accounts belonging to known contacts, lending the messages credibility, and others from entirely unknown senders. The emails were designed to resemble Punchbowl event invitations with subject lines such as "SPECIAL INVITATION" or to mimic tender solicitation notices. Each contained a link to an attacker-controlled site hosting a legitimate LogMeIn Resolve installer that was preconfigured to register the victim's device to an account owned and controlled by the attacker.

Going deeper

The malicious installer files used names designed to appear routine, including Invitation.exe, ContractAgreementToSign.exe, and statmtsPDF10.25.exe. Once a victim executed the file, the attacker gained unattended remote access through the LogMeIn Resolve platform. The installed agent wrote a configuration file to disk with a hard-coded relay domain controlled by the attacker and registered a Windows service using a unique ID tied to that configuration. In most cases, attackers stopped at this point, remaining idle after gaining initial access, a pattern consistent with initial access broker operations in which stolen access is sold on criminal marketplaces for further exploitation. In two observed incidents, attackers moved quickly to a second stage, using a pre-existing ScreenConnect installation to download additional tools, including a payload researchers assessed as behaviorally similar to a known infostealer. That payload sat idle for four to nine minutes after execution, a deliberate delay designed to bypass sandbox analysis, before injecting code into a legitimate Windows binary and connecting to a command-and-control server to harvest browser-stored credentials, session tokens, cryptocurrency wallet data, and system details.

What was said

Researchers described the campaign's distribution infrastructure as having shifted repeatedly over time, with attackers rotating between themed landing pages, including one mimicking Microsoft Teams and another styled after Norton security software, possibly to tailor delivery based on user location or browser attributes. Researchers stated that organizations should restrict software installations to an approved list, enforce strong credential hygiene, and remove RMM tools not needed for daily business use. Unauthorized RMM tools should be blocked through application control policies.

In the know

Abusing legitimate RMM software as a phishing payload is an established and growing tactic. According to The Hacker News, a separate campaign documented in November 2025 abused multiple RMM tools, including ScreenConnect, SimpleHelp, LogMeIn Resolve, and others, to breach US freight and logistics companies, with attackers gaining remote access to harvest credentials and ultimately coordinate physical cargo theft. Researchers in that campaign noted that RMM tools are attractive to attackers precisely because their installers are often legitimately signed, which allows them to pass antivirus and network detection that would flag traditional malware. The assessment that "it's fairly easy for threat actors to create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans" applies equally to the healthcare sector, where remote access and IT management tools are routine parts of clinical and administrative operations.

The big picture

RMM-based phishing campaigns present a particular challenge for healthcare organizations because the tools themselves are legitimate, the installers are often signed, and the activity they generate after installation is indistinguishable from authorized IT support traffic. According to Paubox's Top 3 Healthcare Email Attacks report, phishing attacks succeed in healthcare because email security relies on users recognizing deception, and only 5% of known phishing attacks are reported to security teams. An employee who installs what appears to be a routine IT tool from a trusted-looking email has no clear signal that anything unusual has occurred, and the attacker's subsequent idle period means there is no immediate system behavior to detect. For healthcare organizations that manage patient records, billing systems, and clinical workflows through the same endpoints, undetected remote access of this kind carries direct protected health information exposure risk.

FAQs

Why do attackers use legitimate RMM tools rather than custom malware?

Legitimate RMM installers are signed by known software vendors, which means they pass antivirus scans and appear trusted to operating systems. Staff is also more likely to install a recognized tool than unknown software, and post-installation activity generated by RMM platforms blends in with normal IT support traffic, making detection harder.

What is an initial access broker, and how does this campaign fit that model?

An initial access broker gains entry to a victim's systems and then sells that access on criminal marketplaces rather than exploiting it directly. The idle behavior observed in most campaign incidents, where attackers established remote access and then went quiet, matches that pattern, with the access likely packaged for sale to other threat actors.

How can organizations detect unauthorized RMM installations?

Application control policies can block the installation of software not on an approved list. Network monitoring for unexpected outbound connections to RMM relay domains, and endpoint detection tools that flag new Windows services registered without authorized change records, can also surface unauthorized installations before attackers move to a second stage.

Why were some phishing emails sent from compromised trusted contacts?

Emails sent from known contacts bypass the suspicion that recipients apply to unknown senders. Compromised accounts give attackers a degree of inherited trust that is much harder to replicate with a fake domain, making recipients more likely to click a link or download an attachment without verifying the request through a separate channel.

What should healthcare staff do if they receive an unexpected invitation or document download request by email?

Recipients should verify any unexpected download request directly with the purported sender through a separate communication channel before clicking any link or executing any file, regardless of how familiar the sender appears. Any software installation request arriving via email should be routed through IT approval before execution.