26 January 2026

The attack operates in two phases. First, attackers send convincing emails that mimic routine workplace communications, such as invitations or notifications. These direct recipients to spoofed sign-in pages that resemble legitimate services, where victims enter their real credentials. The attackers then use these credentials to log into systems through standard channels, reducing the chances of detection.

In the second phase, they deploy RMM tools—specifically GoTo Resolve and LogMeIn—to establish ongoing remote access. These tools are configured for unattended operation, allowing them to run quietly in the background. The attackers used signed software, such as "GreenVelopeCard.exe," which is legitimately signed by GoTo Technologies USA, LLC, helping bypass reputation-based security checks. They seek elevated permissions through modifications to Windows services and hidden scheduled tasks, designed to evade detection.

The campaign leverages official infrastructure associated with the RMM products, including domains like "dumpster.console.gotoresolve.com" and "dumpster.dev01-console.gotoresolve.com," along with fallback domains such as "settings.cc." The use of legitimate, encrypted HTTPS traffic and expected domain names makes malicious activity difficult to distinguish from normal operations.

KnowBe4 recommends organizations monitor for unauthorized installation or use of trusted RMM tools, abnormal remote access activity, unexpected changes in Windows service configurations, and other indicators of compromise. The company emphasizes that attackers increasingly rely on legitimate services, making user behavior and anomaly detection vital. As techniques evolve, defenders should expect continued use of RMM tools in attack chains and update their detection strategies accordingly.

This campaign highlights the importance of enhanced monitoring, user awareness, and incident response to combat sophisticated, stealthy cyber threats.