Listen to this Post

Introduction:
In a striking example of cybercriminal ingenuity, attackers are now abusing trusted IT management tools to gain stealthy remote access to systems. Rather than relying on traditional malware, these threat actors are disguising themselves within legitimate software, making detection and defense far more challenging. Recent findings by AhnLab Security Intelligence Center (ASEC) reveal how utilities like LogMeIn Resolve (GoTo Resolve) and PDQ Connect are being manipulated to create powerful backdoors, putting both individual users and organizations at risk.
Attackers Masquerade as Trusted Software Providers
Cybersecurity researchers have uncovered a sophisticated campaign that exploits Remote Monitoring and Management (RMM) tools. Threat actors craft deceptive websites mimicking download pages for popular utilities such as Notepad++, 7-Zip, and WinRAR, enticing unsuspecting users to install what appears to be authentic software. Filenames like “notepad++.exe,” “winrar.exe,” “chatgpt.exe,” and “windows12_installer.exe” are used to make malicious downloads look legitimate.
Once installed, the software deploys an RMM client preconfigured to grant attackers remote control. This is not a simple malware drop; the LogMeIn Resolve client, a legitimate IT management solution, is modified so the “CompanyId” field links directly to the attackers’ infrastructure. Analysts have identified three distinct CompanyId values, revealing how threat actors organize and maintain their footholds.
From Legitimate Support Tools to Hidden Backdoors
LogMeIn Resolve and PDQ Connect provide essential remote administration functions—remote control, patch management, and monitoring—but attackers exploit these features to bypass antivirus and firewall protections. After installation, the attackers can execute PowerShell commands to deliver their primary payload: PatoRAT, a Delphi-based backdoor with advanced surveillance and control capabilities.
PatoRAT’s configuration is XOR-encrypted, storing client tags, mutex names, and lists of command-and-control (C&C) servers. Portions of its code and debug strings are written in Portuguese, indicating potential regional origins or operational ties. Once active, PatoRAT exfiltrates sensitive system information, including CPU and OS data, credentials, location, and live memory statistics. Its functionalities extend to keylogging, screen capture, browser credential theft, remote desktop access, clipboard and mouse control, plugin delivery, QR code scanning, and even port forwarding.
Defensive Measures Organizations Must Consider
This campaign highlights a disturbing trend: attackers abusing legitimate IT tools to circumvent traditional malware detection. ASEC recommends that users and organizations only download software from verified vendor sites and confirm digital signatures. Monitoring for suspicious RMM installations, applying regular OS and security updates, and maintaining multi-layered threat detection strategies are critical for protection.
The technical sophistication behind these attacks—using trusted IT software as both delivery vector and remote backdoor—underscores the urgent need for careful software sourcing and constant vigilance in cybersecurity operations.
What Undercode Say:
This campaign demonstrates a paradigm shift in how attackers operate, leveraging legitimate IT infrastructure for malicious purposes. Unlike conventional malware, these attacks are harder to detect because they appear as genuine administrative tools. Organizations relying on RMM tools must recognize the inherent risk: any remote access software can be weaponized if its installation and configuration are hijacked.
The use of multiple “CompanyId” values suggests that attackers are building modular, scalable operations, enabling them to control and monitor compromised systems efficiently. Furthermore, the XOR-encrypted configuration of PatoRAT indicates that even sophisticated security software might struggle to detect and decode payloads in real-time, emphasizing the need for behavioral monitoring over signature-based detection.
The inclusion of Portuguese code elements hints at possible regional targeting or development hubs, showing the increasingly globalized nature of cybercrime. Analysts and security teams should consider both the technical and geopolitical dimensions of such campaigns.
Moreover, the attackers’ ability to execute complex actions—including keylogging, clipboard manipulation, remote desktop access, and plugin delivery—illustrates the broad spectrum of potential damage. They can extract credentials, harvest sensitive business data, and manipulate system operations without immediate detection. The threat landscape is evolving toward stealth and sophistication rather than overt disruption.
For IT departments, the challenge is twofold: securing endpoints and monitoring administrative tools continuously. Automated alerts for anomalous RMM client activity, regular audits of installed software, and user education on verifying download sources become essential. Threat actors now target human trust as much as technical vulnerabilities, meaning that cybersecurity strategy must include social engineering countermeasures alongside technical defenses.
Additionally, enterprises must adopt a zero-trust mindset for remote management tools. Every RMM installation should be treated as potentially untrusted until verified, and access permissions should be tightly controlled. Incident response protocols must be updated to account for the possibility that legitimate-looking software could act as a backdoor.
This case also signals an urgent need for threat intelligence sharing. By mapping known “CompanyId” values and sharing insights across organizations, security teams can detect campaigns early and preempt lateral movement. The integration of threat intelligence into endpoint detection and response (EDR) systems can help organizations identify malicious RMM configurations before attackers gain full control.
Finally, the campaign reflects broader industry trends: attackers are increasingly investing in stealth, persistence, and modularity rather than speed or visibility. This requires a shift in cybersecurity mindset from reactive defenses to proactive threat hunting, emphasizing behavior analysis, anomaly detection, and continuous monitoring of IT management tools.
🔍 Fact Checker Results
✅ Attackers are using fake software downloads to distribute RMM tools.
✅ PatoRAT is a Delphi-based backdoor with extensive remote capabilities.
❌ This campaign does not rely on traditional malware signatures alone; standard antivirus may fail to detect it.
📊 Prediction
Given the technical sophistication and stealth of these campaigns, similar attacks are likely to increase across enterprise environments. Organizations using remote management tools will become prime targets, forcing IT teams to implement more rigorous verification processes and behavioral monitoring. As attackers continue to exploit trusted software, the future of endpoint security will depend on proactive threat hunting, real-time anomaly detection, and collaborative intelligence sharing. Expect growth in RMM-targeted attacks over the next 12–18 months.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




