Security experts have identified a dual-stage cyberattack that uses phished login credentials to install authorized remote management tools for long-term system access. By masquerading as a digital invitation service, the attackers trick users into providing account information that is then used to deploy legitimate software as a permanent hidden backdoor.

Cybersecurity researchers have uncovered a sophisticated campaign that moves away from traditional malware in favor of exploiting trusted administrative tools. By obtaining a user's login credentials, attackers are able to bypass standard security perimeters and repurpose Remote Monitoring and Management software. This strategy allows them to turn legitimate IT utility programs into persistent entry points, essentially using the system's own infrastructure against itself to maintain a presence on compromised hosts.

The operation begins with a phishing wave designed to harvest credentials from unsuspecting victims. Using deceptive emails that mimic invitations from the platform Greenvelope, the threat actors lure individuals into clicking malicious links. These fake portals are engineered to steal login data for major email providers, including Microsoft Outlook, Yahoo, and AOL. Once the attackers have secured these credentials, they possess the necessary keys to move into the second and more invasive phase of the attack.

In the next stage, the attackers use the stolen email accounts to register for services with LogMeIn. This allows them to generate authentic access tokens for the remote management software. They then deliver an executable file, often named GreenVelopeCard.exe, which appears to be a legitimate file but is actually a delivery mechanism for the RMM tools. Because the file is signed with a valid certificate, it often evades basic security detection while it prepares the system for remote takeover.

Once the binary is executed, it silently installs the remote access software and connects the victim's computer to a server controlled by the attacker. The configuration is designed to happen entirely in the background without any notification to the user. After the software is active, the threat actors modify the service settings within Windows to ensure the program has unrestricted permissions. This high level of access allows them to control the machine as if they were a local administrator.

To ensure their access remains permanent, the attackers create hidden scheduled tasks that automatically restart the RMM program if it is ever closed or manually terminated. This creates a resilient backdoor that survives reboots and user intervention. Because the tools being used are legitimate software often found in corporate environments, they frequently go unnoticed. Security professionals recommend that organizations actively monitor for unauthorized installations of management tools to defend against these deceptive tactics.

Source: Phishing Attack Uses Stolen Credentials To Deploy LogMeIn RMM For Persistence