This threat involves a sophisticated dual-vector phishing campaign that exploits stolen user credentials to deploy legitimate Remote Monitoring and Management (RMM) software—LogMeIn Resolve (formerly GoTo Resolve)—as a persistent backdoor on victim systems. The attack starts with phishing emails masquerading as invitations from a legitimate platform called Greenvelope, designed to harvest login credentials for popular email services such as Microsoft Outlook, Yahoo!, and AOL. Once credentials are compromised, attackers use them to register with LogMeIn, generating RMM access tokens that enable remote management capabilities. The attackers then deploy a signed executable named "GreenVelopeCard.exe," which contains a JSON configuration to silently install the LogMeIn RMM client and connect it to attacker-controlled infrastructure without user awareness. The RMM software is configured to run with unrestricted system privileges, allowing attackers to manipulate system settings and maintain persistence by creating hidden scheduled tasks that relaunch the RMM client even if terminated. This approach leverages trusted administrative tools to evade detection by traditional antivirus and endpoint security solutions, as the software itself is legitimate and signed. The campaign highlights a shift from deploying custom malware to abusing legitimate IT management tools to maintain stealthy, persistent access. Detection is complicated by the use of valid certificates and legitimate software, requiring organizations to monitor for anomalous RMM deployments and usage patterns. No known exploits in the wild have been reported beyond this campaign, but the technique poses significant risks if adopted widely.

For European organizations, this threat poses substantial risks including unauthorized persistent remote access, data theft, espionage, and potential disruption of IT operations. The use of legitimate RMM software complicates detection and response, increasing the likelihood of prolonged undetected intrusions. Sensitive data confidentiality and system integrity are at risk, especially in sectors with high-value intellectual property or critical infrastructure. Attackers gaining persistent access can move laterally within networks, escalate privileges, and deploy additional payloads or ransomware. The operational availability of systems may be compromised if attackers manipulate or disable security controls. Given the reliance on stolen credentials, organizations with weak credential hygiene or insufficient multi-factor authentication (MFA) are particularly vulnerable. The campaign’s stealthy nature may delay incident response, increasing potential damage and regulatory exposure under GDPR and other European data protection laws. The threat also underscores the need for stringent controls around RMM tool deployment and monitoring, especially in managed service provider (MSP) environments common in Europe.

European organizations should implement multi-layered defenses focusing on credential protection and RMM monitoring. Enforce strong multi-factor authentication (MFA) on all email and RMM platform accounts to prevent unauthorized access via stolen credentials. Conduct regular phishing awareness training tailored to recognize sophisticated invitation-style phishing emails. Implement strict access controls and least privilege principles for RMM software usage, limiting installation and execution rights to authorized personnel only. Continuously monitor network and endpoint telemetry for anomalous RMM installations, unusual service configurations, and hidden scheduled tasks indicative of persistence mechanisms. Employ application allowlisting to restrict execution of unauthorized binaries, including suspicious executables like "GreenVelopeCard.exe." Integrate threat intelligence feeds to detect known phishing URLs and malicious domains associated with this campaign. Regularly audit RMM tool configurations and access logs for unauthorized changes or connections to unknown endpoints. Establish incident response playbooks specifically addressing abuse of legitimate IT tools. Finally, segment networks to contain potential lateral movement from compromised hosts.