Hackers are distributing legitimate remote support tools as part of new attack campaigns, tricking victims into installing applications such as LogMeIn Resolve and PDQ Connect under the guise of common utilities or software updates.
Researchers at cybersecurity software and solutions provider Malwarebytes report a rise in cases where these tools are preconfigured to connect directly to an attacker-controlled environment, giving threat actors full remote access without deploying traditional malware.
They note an increase in detections labeled RiskWare.MisusedLegit.GoToResolve, indicating widespread attempts to disguise these remote-access tools as everyday downloads. The same installer has surfaced under multiple filenames, suggesting attackers are tailoring the lure to match the scenario or impersonated software.
One observed phishing email, sent to a target in Portugal, included a link that appeared to reference a document but actually directed the user to a file hosted on Dropbox. Using trusted services, such as Dropbox or legitimate RMM platforms, helps these campaigns bypass common filtering and makes the download appear authentic.
Other campaigns involve attackers creating fake download sites that mimic popular utilities such as Notepad++ and 7-Zip. Visitors who think they’re installing a common program instead receive an RMM installer already configured with the attacker’s unique CompanyId. This identifier automatically registers the victim device to the attacker’s management console, giving instant remote access without additional authentication or malware deployment.
Once installed, the tool blends into normal system activity:
- RMM traffic often passes through firewalls without restriction
- The software runs with administrative privileges
- Remote activity appears similar to legitimate IT support
- Attackers gain the ability to view the system, transfer files, and maintain persistence
This technique is effective because it relies entirely on trusted software. Instead of exploiting vulnerabilities, attackers depend on misleading filenames, impersonated websites, and deceptive messages to persuade the user to install the tool themselves.
As this method continues to grow in popularity, researchers emphasize the importance of verifying download sources and watching for unexpected remote-access tools appearing on a system, especially those that appear to be legitimate administrative utilities.
Visit Malwarebytes’ official blog for full research technical analysis information here.
Leave a Reply