Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Phishing-led RMM abuse campaign using fake PayPal alerts

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A phishing-led intrusion campaign is abusing legitimate RMM tools to move from personal accounts into corporate environments, creating stealthy remote access and persistence. The lure has shifted to fake PayPal warnings, replacing earlier seasonal or administrative messages with a higher-pressure financial theme. In one documented case, a user's personal PayPal account became the starting point for access that later expanded into a corporate foothold. The activity matters because the access can be hidden from EDR and potentially reused for broader compromise or resale.

Related Happenings

PayPal customer accounts hit by cyberattack

Incident
First: 20.02.2026 15:12 Last: 20.02.2026 15:12 Sources 1

About this happening: **PayPal** confirmed **unauthorized transactions** on the accounts of a **small number of customers**, adding direct financial harm to the broader breach. The company said it **is...

Open Happening

PayPal customers data exposed after PayPal breach

Data Leak
First: 20.02.2026 15:12 Last: 20.02.2026 15:12 Sources 1

About this happening: PayPal disclosed a **data leak** in its **PayPal Working Capital (PPWC) loan application** that exposed a **small number of customers' PII** for nearly **six months**. The exposed...

Open Happening

Greenvelope phishing-to-LogMeIn Resolve dual-vector campaign

Campaign
First: 23.01.2026 13:18 Last: 23.01.2026 13:18 Sources 1

About this happening: A **dual-vector phishing campaign** is using **fake Greenvelope invitations** and **stolen credentials** to establish **persistent remote access** on compromised hosts, turning le...

Open Happening

DeadLock ransomware uses Polygon smart contracts for proxy rotation

Malware Activity
First: 14.01.2026 16:20 Last: 14.01.2026 16:20 Sources 1

About this happening: **DeadLock ransomware** is now using **Polygon smart contracts** to rotate **proxy server addresses**, making its **C2** infrastructure harder to block. The activity has been seen...

Open Happening

Rising unjustified sensitive-data access by third-party web apps across leading websites

Target Trend
First: 14.01.2026 13:00 Last: 14.01.2026 13:00 Sources 1

About this happening: **Third-party applications** on **4,700 leading websites** are increasingly accessing sensitive data without a business need, raising web-exposure and over-permissioning risk acro...

Open Happening

Timeline

  1. 14.01.2026 18:00 1 articles · 4mo ago

    MDR detects fake PayPal social engineering leading to RMM access

    Detection Ioc Update

    On January 5 2026, the affected organization’s Managed Detection and Response team identified suspicious activity after a fraudulent PayPal email and phone-based social engineering led an employee to install legitimate remote access software. The intrusion began with LogMeIn Rescue and later pivoted to AnyDesk to maintain access, while no EDR alerts were triggered; artifacts included multiple LogMeIn Rescue binaries, an active remote session, a scheduled task, and a startup shortcut disguised with a Gmail-style name.

    Show sources
    Open in new tab
  2. 14.01.2026 18:00 2 articles · 4mo ago

    CyberProof discloses a fake PayPal RMM intrusion wave

    Initial Disclosure

    CyberProof documented six phishing-led intrusions across customer environments, including one case where an employee’s personal PayPal account became the initial foothold before access expanded into the corporate environment. The advisory described a shift away from seasonal lures toward high-urgency financial themes and warned that attackers were abusing legitimate RMM tools such as LogMeIn Rescue and AnyDesk to evade detection and maintain persistence.

    Show sources
    Open in new tab