Phishing Campaign Deploys LogMeIn RMM for Persistent Access

First reported

23.01.2026 13:18

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign leverages stolen credentials to deploy LogMeIn RMM software for persistent remote access. The attack involves two phases: credential theft via fake Greenvelope invitations and subsequent RMM deployment using compromised accounts. The attackers use the legitimate RMM tool to maintain access, altering service settings and creating hidden scheduled tasks to ensure persistence.

Timeline

23.01.2026 13:18 1 articles · 23h ago

Phishing Campaign Deploys LogMeIn RMM for Persistent Access
A phishing campaign leverages stolen credentials to deploy LogMeIn RMM software for persistent remote access. The attack involves two phases: credential theft via fake Greenvelope invitations and subsequent RMM deployment using compromised accounts. The attackers use the legitimate RMM tool to maintain access, altering service settings and creating hidden scheduled tasks to ensure persistence.
Show sources

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access — thehackernews.com — 23.01.2026 13:18
Open in new tab

Information Snippets

Attackers use fake Greenvelope invitations to steal Microsoft Outlook, Yahoo!, and AOL credentials.
First reported: 23.01.2026 13:18

1 source, 1 article
Show sources
- Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access — thehackernews.com — 23.01.2026 13:18
Stolen credentials are used to register with LogMeIn and generate RMM access tokens.
First reported: 23.01.2026 13:18

1 source, 1 article
Show sources
- Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access — thehackernews.com — 23.01.2026 13:18
The RMM tool LogMeIn Resolve (formerly GoTo Resolve) is deployed via an executable named 'GreenVelopeCard.exe'.
First reported: 23.01.2026 13:18

1 source, 1 article
Show sources
- Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access — thehackernews.com — 23.01.2026 13:18
The executable contains a JSON configuration to silently install and connect to an attacker-controlled URL.
First reported: 23.01.2026 13:18

1 source, 1 article
Show sources
- Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access — thehackernews.com — 23.01.2026 13:18
Attackers modify service settings for unrestricted access and create hidden scheduled tasks for persistence.
First reported: 23.01.2026 13:18

1 source, 1 article
Show sources
- Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access — thehackernews.com — 23.01.2026 13:18