Organizations across the United States have become targets of a sophisticated multi-stage phishing campaign that leverages legitimate remote monitoring and management (RMM) tools, including LogMeIn Resolve and ScreenConnect, to bypass security measures and gain illicit access. The operation, which began as early as April 2025 with a surge in activity between October and November of the same year, has impacted over 80 organizations spanning various industries. Threat actors initiate contact through deceptive phishing emails, some appearing to originate from trusted contacts, while others come from unknown senders, often disguised as event invitations or tender solicitations.
These malicious emails contain links directing recipients to attacker-controlled websites. These sites host legitimate LogMeIn Resolve installers pre-configured to connect the victim’s device to an attacker-controlled account. Sophos analysts, tracking the activity as STAC6405, observed the attackers repeatedly altering their distribution infrastructure and employing themed landing pages that mimicked services like Microsoft Teams and Norton security software, suggesting a strategy to enhance credibility based on user perception or location.
Threat Actors Abuse LogMeIn Resolve and ScreenConnect in Multi-Stage Phishing Attacks
The downloaded executable files were artfully named to appear innocuous, such as “Invitation.exe,” “ContractAgreementToSign.exe,” and “statmtsPDF10.25.exe.” Upon execution by a victim, the LogMeIn Resolve agent would silently install, registering the device to the attacker’s infrastructure. This agent would then establish a connection via a hard-coded relay domain, facilitating unattended remote access. The typical stopping point for many of these attacks involved the attackers gaining initial access, a tactic often employed by initial access brokers who then sell these compromised credentials on dark web marketplaces for further exploitation.
However, in a more advanced phase observed in two distinct incidents, threat actors escalated their activities significantly. In one instance, they exploited an existing ScreenConnect installation on the victim’s machine. This allowed them to download a ZIP archive containing “HideMouse.exe,” a utility designed to obscure remote activity by making the mouse cursor transparent, and “87766713.exe,” identified by Sophos researchers as malware behaviorally similar to ValleyRAT. This infostealer employed a deliberate delay of four to nine minutes before executing, a maneuver intended to evade sandbox and heuristic detection systems.
Following this delay, the malware injected code into “csc.exe,” a legitimate Microsoft binary commonly abused as a living-off-the-land binary (LOLbin). This allowed the malware to communicate with a command-and-control server and begin exfiltrating sensitive data, including browser credentials, session tokens, cryptocurrency wallet information, and system details. An embedded encrypted payload was subsequently decrypted at runtime using TripleDES cryptography.
In the second observed escalation, the downloaded binary initiated a ScreenConnect client as a service alongside a Java-based remote access tool. The attacker then proceeded to enumerate firewall rules on the network before security professionals and the affected organization could contain the breach. This progression highlights the evolving tactics of threat actors utilizing trusted software for malicious purposes.
Given these findings, organizations are strongly advised to implement robust security measures. Restricting software installations to an approved vendor list and enforcing strong credential hygiene through secure password managers or passkeys are crucial. Furthermore, the removal of any unused RMM tools like LogMeIn, or blocking them through application control policies if not essential for daily operations, can significantly reduce the attack surface. Promptly blocking all identified URLs and indicators of compromise associated with this campaign across all network entry points is also a critical step in preventing further compromise.