Full Report
Prolific threat actor delivering RMM packages using variety of lures, including seasonal party invites
Analysis Summary
# Threat Actor: Prolific RMM Distributor (Unnamed)
## Attribution & Identity
* The actor is described as a "Prolific threat actor" known for specializing in using Remote Management and Monitoring (RMM) software for initial access and post-compromise activity.
* No specific named group or nation-state attribution is provided in the article.
## Activity Summary
* The campaign has been active since at least April 2025.
* The actor consistently uses phishing emails with various lures to trick targets into downloading malicious executable or MSI installer files.
* **Recent Lures:** Holiday party invites ("Party Invitation," "December Holiday Party"), invoices, tax correspondence, payment overdue notices, Zoom meeting invites, and documents needing signatures.
* **Evolving Tactic:** Initially focused on distributing ScreenConnect, the actor has evolved to install multiple, often redundant, RMM tools over time on the same compromised machine (e.g., installing SimpleHelp in June, PDQ/Atera in August, and LogMeIn Resolve/Naverisk since October).
* **Observed Post-Compromise Pattern (Example):** Initial compromise with ScreenConnect $\rightarrow$ installation of secondary toolset $\rightarrow$ later installation of other RMMs (LogMeIn Resolve, Naverisk) potentially weeks apart.
* **Motivation/Objective:** Primary motivation appears to be establishing persistent access and credential theft, with the ultimate goal possibly being selling access to other threat actors (e.g., for ransomware deployment). Increasing dwell time is also suspected.
## Tactics, Techniques & Procedures
* **Initial Access:** Spearphishing via emails utilizing deceptive lures (T1566.001 - Phishing: Spearphishing Attachment/Link).
* **Execution:** Delivery of malicious URLs linking to setup executables or signed MSI installers.
* **Persistence/Defense Evasion:** Installation of multiple, non-simultaneous RMM tools to maintain redundancy or circumvent detection/license expiry.
* **Discovery/Credential Access:** Deployment of tools like `WebBrowserPassView` (for password harvesting) and `Defender Control` (for disabling security).
* **Defense Evasion:** Use of `HideMouse.exe` to conceal remote mouse cursor movement, hiding evidence of their remote presence.
* **MITRE ATT&CK IDs (Implied/Explicit):**
* Remote Management: Use of multiple legitimate RMM tools (ScreenConnect, LogMeIn Resolve, Naverisk, SimpleHelp, PDQ, Atera).
* T1059 (Command and Scripting Interpreter) likely used during the RMM sessions.
## Targeting
* **Sectors:** Not explicitly specified, but the use of invoices/tax correspondence suggests a broad focus on organizations that handle finance/documentation.
* **Geography:** Not explicitly specified, though URLs suggest potential reach into Turkish (.tr) and Portuguese (.pt) domains/servers were used for hosting.
* **Victims:** No specific victim organizations were named, only descriptions of how compromises unfolded within certain organizations.
## Tools & Infrastructure
* **Malware Families (Primary Initial Vector):** ScreenConnect (ConnectWise)
* **Malware Families (Additional RMMs Deployed):** LogMeIn Resolve (formerly GoTo Resolve), Naverisk, SimpleHelp, PDQ, Atera.
* **Post-Exploitation Toolset:**
* `HideMouse.exe` (Hides mouse cursor)
* `WebBrowserPassView` (Credential harvesting)
* `Defender Control` (Disables Windows Defender)
* `Hidefromcontrolpanel`, `PhoneLinkLauncher`, `Windowspasskey` (Unanalyzed)
* **Infrastructure (Examples of Download Locations - Defanged):**
* `file-eu-par-1[.]gofile[.]io`
* `otoaydinlatma[.]com[.]tr`
* `pcway[.]pt`
* `pub-cf31a0787efb46aa9b06228ed4f30934[.]r2[.]dev`
* `dropboxusercontent[.]com` (via Dropbox sharing links)
* `transformedhost[.]com`
## Implications
This actor poses a significant risk due to its focus on establishing deep, redundant, and long-term persistence across victim environments using commercially available, legitimate RMM tools. This "living off the land" approach with RMMs complicates detection and remediation. The actor acts as a potential initial access broker, selling established footholds to higher-tier criminal groups.
## Mitigations
* **Monitor RMM Deployments:** Implement stringent change control and monitoring for the installation of new, unauthorized, or secondary/tertiary RMM solutions on endpoints, especially outside of standard IT change windows.
* **Audit Legitimate Tools:** Audit existing RMM installations (ScreenConnect, LogMeIn, etc.) for unauthorized configuration changes or unexpected software additions initiated by compromised sessions.
* **Inspect Attachments/Links:** Enhance email gateway scanning and user training specifically targeting file types like `.exe` and `.msi` delivered via seasonal/socially engineered lures (party invites, invoices).
* **Restrict Execution:** Implement application control policies to restrict the execution of utilities known for security disabling (`Defender Control`) or credential dumping (`WebBrowserPassView`).
* **Investigate Anomalous Process Chain:** Be vigilant for processes where a recognized installer (MSI) eventually leads to the execution of tools designed to hide activity (`HideMouse.exe`).