Hackers Exploiting RMM Tools LogMeIn (GoTo Resolve) and PDQ Connect to Deploy Malware as Normal Programs

Advisory ID: NCC-CSIRT-2025-025

Summary: 

Cybercriminals are abusing trusted Remote Monitoring & Management (RMM) tools, notably LogMeIn/GoTo Resolve and PDQ Connect, to disguise malware as legitimate programs. Attackers distribute seemingly normal installers (hosted on convincing websites or delivered via phishing) that install RMM agents (or leverage their installers) and then deploy secondary malicious payloads, granting attackers remote control and persistence while blending in with legitimate administrative software.

Damage/Probability: High/High

Indicators of Compromise (IOCs): 

• Fake download URLs/domains posing as legitimate vendor pages.
• MSI files mimicking PDQ Connect/LogMeIn installers that trigger unusual outbound activity.
• Unauthorized RMM agents installed on endpoints.
• Outbound C2 or remote-access connections appearing soon after an RMM agent is installed.

Product(s): 

• LogMeIn/GoTo Resolve – remote access and support tool.
• PDQ Connect – remote software deployment and management tool.
• Other RMM tools (e.g., ScreenConnect, SimpleHelp, ConnectWise) were used in similar attacks.

Version(s): 

Not version-specific, it affects environments where RMM agents can be installed or coerced into running with administrative privileges. Confirm vendor-specific advisories for the exact affected builds.

Platform(s): 

• Windows Endpoints
• Servers
• Corporate Workstations
• Unmanaged systems where RMM agents are installed or can be side-loaded.

Description: 

Recent incidents show attackers hosting convincing “software” pages or sending phishing lures that cause victims to download and run installers which either: (a) install legitimate RMM agents (PDQ Connect MSI, LogMeIn/GoTo Resolve installers) that the attacker controls or misuses; or (b) bundle an RMM installer together with a secondary malicious payload. Once the RMM agent is present with elevated privileges, the attacker uses the tool’s remote-access and management features to move laterally, execute arbitrary commands, and persist. In several reported cases, the final payloads included information-stealers and remote access frameworks. Security vendors, including AhnLab and IBM X-Force, have published analyses describing the distribution patterns and attack chains.

Notable operational details observed across reports: vendors’ legitimate agents (or their installers) are often used to lower suspicion; MSI installers are a recurring delivery artefact; attackers may combine social engineering (fake update/meeting invites) with poisoned landing pages; and sectors affected include logistics, transportation, and enterprise services.

Threat Types: 

• Use of legitimate RMM tools for initial access and persistence.
• Delivery of malware through fake vendor sites or compromised installers.
• Full remote control or code execution once the RMM agent runs with admin privileges.
• Data theft, lateral movement, and deployment of additional tools (e.g., Cobalt Strike).

Impacts: 

• Attackers gain remote admin control, allowing full system access, credential theft, and further malware deployment.
• Compromise of operational environments where RMM is common, enabling fraud, manipulation, or service disruption.
• Malicious actions blend with legitimate RMM activity, evading detection and bypassing simple allow-lists.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Track all RMM installations and alert on any unauthorized agents.
• Detect installers creating new services or persistence.
• Monitor for abnormal remote-management activity or connections.
• Use EDR to flag suspicious installer-to-agent process chains.
• Block malicious installers and sandbox MSI files before approval.
• Treat any unexpected RMM installation as a high-priority incident.
• Enforce strict change-control and approvals for RMM tools.
• Include RMM-abuse scenarios in tabletop and IR playbooks.
• Work with vendors to verify installer integrity and monitor distribution channels.
• Use application allow-listing and require admin approval for new RMM tools.
• Keep an approved RMM vendor list and continuously monitor remote-access channels.

References:

• https://cybersecuritynews.com/hackers-exploiting-rmm-tools-logmein-and-pdq-connect/

• https://asec.ahnlab.com/en/90968/

• https://exchange.xforce.ibmcloud.com/osint/guid:bf65bd6af1cb45939d562c07edd316ae

• https://www.cyber.nj.gov/Home/Components/News/News/1771/214

• https://simplysecuregroup.com/hackers-exploiting-rmm-tools-logmein-and-pdq-connect-to-deploy-malware-as-a-normal-program/

• https://www.thaicert.or.th/en/2025/11/05/hackers-use-remote-monitoring-and-management-rmm-tools-to-breach-transportation-companies-and-control-cargo-shipments/

• https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics