New PUA Exploits Legitimate IT Tool to Enable Silent Cyberattacks
Researchers from Point Wild’s Lat61 Threat Intelligence Team have uncovered a Potentially Unwanted Application (PUA) tracked as HEURRemoteAdmin.GoToResolve.gen that covertly transforms a trusted IT support tool into a backdoor for cyber intrusions.
The software, part of GoTo Resolve (formerly LogMeIn), installs silently in the background, embedding itself in C:\Program Files (x86)\GoTo Resolve Unattended</strong> without user notification. While GoTo Resolve is a legitimate remote administration tool, its installer contains a hidden file (32000~) that enables persistent, undetected operation, creating an unmonitored attack surface for threat actors.
Of particular concern is the software’s use of Windows’ Restart Manager (RstrtMgr.dll), a component historically exploited by ransomware groups like Conti and Cactus, as well as the BiBi wiper, to disable security processes. By loading this library, the PUA could terminate antivirus or other protective services, leaving systems vulnerable to follow-on attacks.
Despite bearing a valid digital signature from GoTo Technologies USA, LLC, the tool’s misuse potential remains high. Researchers warn that even signed applications can be weaponized, emphasizing the need for strict oversight of remote administration tools.
Point Wild’s CTO, Dr. Zulfikar Ramzan, highlights this as part of a broader trend: "the exploitation of legitimate remote administration tools by threat actors," noting its ability to pre-position systems for destructive attacks while evading detection. Organizations are advised to verify and remove unauthorized instances of the software.
Source: https://hackread.com/goto-resolve-activities-ransomware-tactics/
GoTo cybersecurity rating report: https://www.rankiteo.com/company/goto
"id": "GOT1769611354",
"linkid": "goto",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations with unauthorized '
'GoTo Resolve installations',
'industry': 'IT/Remote Administration',
'name': 'GoTo Technologies USA, LLC (via GoTo Resolve)',
'type': 'Software vendor'}],
'attack_vector': 'Legitimate IT support tool (GoTo Resolve) with hidden '
'backdoor functionality',
'description': 'Researchers from Point Wild’s Lat61 Threat Intelligence Team '
'have uncovered a Potentially Unwanted Application (PUA) '
'tracked as HEURRemoteAdmin.GoToResolve.gen that covertly '
'transforms a trusted IT support tool into a backdoor for '
'cyber intrusions. The software, part of GoTo Resolve '
'(formerly LogMeIn), installs silently in the background, '
'embedding itself in C:\\Program Files (x86)\\GoTo Resolve '
'Unattended\\ without user notification. While GoTo Resolve is '
'a legitimate remote administration tool, its installer '
'contains a hidden file (32000~) that enables persistent, '
'undetected operation, creating an unmonitored attack surface '
'for threat actors. The software’s use of Windows’ Restart '
'Manager (RstrtMgr.dll) could disable security processes, '
'leaving systems vulnerable to follow-on attacks. Despite '
'bearing a valid digital signature from GoTo Technologies USA, '
'LLC, the tool’s misuse potential remains high.',
'impact': {'operational_impact': 'Potential termination of antivirus or '
'protective services',
'systems_affected': 'Systems with unauthorized GoTo Resolve '
'installations'},
'initial_access_broker': {'backdoors_established': 'Persistent, undetected '
'operation via GoTo '
'Resolve Unattended',
'entry_point': 'Hidden file (32000~) in GoTo '
'Resolve installer'},
'lessons_learned': 'Legitimate remote administration tools can be weaponized '
'by threat actors, emphasizing the need for strict '
'oversight and verification of such tools.',
'motivation': 'Pre-positioning systems for destructive attacks, evading '
'detection',
'post_incident_analysis': {'corrective_actions': 'Strict oversight and '
'removal of unauthorized '
'remote administration tools',
'root_causes': 'Exploitation of legitimate IT '
'tools with hidden backdoor '
'functionality, misuse of Windows’ '
'Restart Manager (RstrtMgr.dll)'},
'recommendations': 'Organizations are advised to verify and remove '
'unauthorized instances of GoTo Resolve or similar remote '
'administration tools.',
'references': [{'source': 'Point Wild’s Lat61 Threat Intelligence Team'}],
'response': {'containment_measures': 'Verify and remove unauthorized '
'instances of the software'},
'title': 'New PUA Exploits Legitimate IT Tool to Enable Silent Cyberattacks',
'type': 'Potentially Unwanted Application (PUA)',
'vulnerability_exploited': 'Windows’ Restart Manager (RstrtMgr.dll) '
'exploitation for disabling security processes'}