Ever wonder why your inbox’s innocent-looking event invite might be plotting to turn your laptop into a hacker’s playground?
This phishing campaign — sneaky, persistent, and dressed up as Punchbowl RSVPs or tender bids — tricks users into downloading what looks like harmless LogMeIn Resolve. But nope. It’s a trojan horse for unattended remote access, letting attackers puppet your machine from afar. Sophos MDR teams spotted it late last year, and their deep dive reveals over 80 US orgs hit, mostly October-November 2025, though roots trace to April.
How Does a Party Invite Become a Backdoor?
Picture this: an email from a trusted sender (or a compromised one — downstream pain) blasts ‘SPECIAL INVITATION’ in the subject. Click the link? Straight to attacker sites like mastorpasstop.top or evitesecured.top, serving up legit LogMeIn Resolve binaries, prepped to phone home to the bad guy’s account.
They switch themes too — Microsoft Teams one day, Norton the next — maybe tailoring to your browser or just lazy updates. Filenames scream legitimacy: Invitation.exe, SPCL_INVITE_RSVP_2025.exe, even ContractAgreementToSign.exe. Run it, and bam: a Windows service registers, config file drops with attacker relay details. Unseen, unattended access granted.
“Sophos’ Managed Detection and Response (MDR) teams reported on a phishing campaign late last year that attempted to trick users into installing LogMeIn Resolve (formerly GoToResolve), a remote monitoring and management (RMM) tool, to acquire remote unattended access.”
That’s Sophos nailing it — straight from their report. And here’s the kicker: most times, attackers stop there. They lurk. Test the door. Sell access as initial access brokers on dark web bazaars. Dormant, waiting for the perfect moment — or your detection slip-up.
But.
In two wild cases, they didn’t wait.
What Explosive Payloads Follow the Invite?
First incident: post-LogMeIn, they fire up ScreenConnect (pre-existing or fresh) to fetch an infostealer. Credentials, cookies, crypto wallets — poof, harvested. The second? Another legit RMM tool, chaining access deeper.
Sophos tags this STAC6405. Echoes Red Canary’s findings on similar ops — user-agent checks to block non-Windows/Android, error pages for mismatches. But Sophos grabbed payloads anyway. Campaign’s alive; some phishing links still hum as of now.
Think of it like the Wild West gold rush of the 1800s — back then, claim jumpers snuck in via fake deeds. Today, RMM tools are the new deeds. Legit software, abused ruthlessly in hybrid work’s trust vacuum. My bold call? This isn’t a blip. As AI agents demand smoothly remote ops, RMM phishing explodes — unless we mandate session attestations, like WebAuthn on steroids. Sophos spins it as ‘interesting aspects,’ but c’mon, it’s a wake-up siren for IT admins asleep at the wheel.
And the distribution sites? .ru[.]com subdomains early, now evite nods everywhere. Effort in branding — Teams green, Norton shields — shows pros at work, not script kiddies.
Why Can’t We Just Block RMM Tools?
They’re everywhere. Legit IT helpdesks rely on LogMeIn, ScreenConnect — banning ‘em kills productivity. Attackers bank on that. Initial access? Gold. No ransomware blast, just quiet persistence. Over 80 orgs, multi-sector, US-heavy. Sectors? Who knows — Sophos mum, but imagine finance, healthcare endpoints now puppeted.
We saw invites morph: Punchbowl fakes, bid lures. Compromised third-parties amplify reach. Unknown senders too. It’s adaptive, low-noise — perfect for IABs hawking logins.
One para wonder: Victims linger undetected.
This mirrors 2010s RAT booms (Remote Access Trojans), but RMMs are stealthier — baked-in legitimacy dodges AV. Prediction: 2026 sees RMM supply-chain hits, poisoned updates. Defend now: email filters on .exe attachments, RMM allowlists with behavioral baselines. MDR like Sophos? Lifesaver — but pricey for SMBs.
Sophos confirms others’ research, active links scream urgency. No nation-state flair, just profit-driven crews.
Here’s the messy truth — we’re in a platform shift where remote tools are the new USB sticks. Vulnerable. Exploitable. But with wonder: AI-driven anomaly detection could flip this, spotting ‘invite.exe’ sessions before they burrow.
🧬 Related Insights
- Read more: CVE-2022-3172: Kube-Apiserver’s Redirect to Credential Hell
- Read more: Silver Dragon: Chinese Hackers Zero In on Asian and European Governments
Frequently Asked Questions
What is the LogMeIn Resolve phishing campaign?
It’s a phishing op using fake invites to drop RMM tools for remote access, tracked as STAC6405 by Sophos, hitting 80+ orgs.
How do attackers use RMM tools like ScreenConnect after initial access?
They chain to download infostealers or more RMMs, grabbing data or expanding footholds without immediate noise.
Is the fake invite malware campaign still active?
Yes — some phishing links remain live, per Sophos’ latest checks.
