New Phishing Campaign Exploits Fake PayPal Alerts to Hijack RMM Tools
A recent surge in phishing attacks is leveraging fake PayPal alerts to compromise both personal and corporate systems through legitimate remote monitoring and management (RMM) tools. CyberProof’s advisory, published on Tuesday, details a shift from seasonal lures such as holiday invites or tax notices to high-urgency financial scams designed to prompt immediate action.
Researchers analyzed six incidents across customer environments, including one case where an employee’s personal PayPal account became the initial entry point. On January 5, 2026, CyberProof’s Managed Detection and Response (MDR) team detected suspicious activity that later escalated into corporate access. The attack began with a fraudulent PayPal email, followed by phone-based social engineering. Posing as support staff, the attacker convinced the victim to install LogMeIn Rescue, later switching to AnyDesk to maintain persistence all without triggering endpoint detection and response (EDR) alerts.
The attackers employed a tactic of using one RMM tool to install another, a method also observed in recent Broadcom research. This redundancy may help evade detection and exploit trial licenses before they expire. Artifacts from the attacks included multiple LogMeIn Rescue binaries and evidence of active remote sessions. Persistence was achieved through a scheduled task and a disguised startup shortcut, mimicking legitimate system activity.
While the immediate goal appears financial, CyberProof warned that such access could be sold to advanced persistent threat (APT) groups, leading to full corporate compromise or ransomware deployment. The firm highlighted the risks of RMM tool abuse and the need for stronger phishing controls, restricted network access to common RMM ports, and the avoidance of exposed remote services like RDP.
Source: https://www.infosecurity-magazine.com/news/hackers-fake-paypal-notices-deploy/
LogMeIn TPRM report: https://www.rankiteo.com/company/gotoassistbylogmein
PayPal TPRM report: https://www.rankiteo.com/company/paypal
CyberProof TPRM report: https://www.rankiteo.com/company/cyberproof-inc.
AnyDesk TPRM report: https://www.rankiteo.com/company/anydesk-software-gmbh
"id": "gotpaycybany1768408080",
"linkid": "gotoassistbylogmein, paypal, cyberproof-inc., anydesk-software-gmbh",
"type": "Vulnerability",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'type': 'Corporate and Personal Accounts'}],
'attack_vector': 'Phishing Email, Phone-Based Social Engineering, Legitimate '
'RMM Tools (LogMeIn Rescue, AnyDesk)',
'data_breach': {'personally_identifiable_information': 'Potential (if '
'personal accounts '
'were compromised)'},
'date_detected': '2026-01-05',
'date_publicly_disclosed': '2026-01-07',
'description': 'A new wave of phishing-led intrusions abusing legitimate '
'remote monitoring and management (RMM) tools has been '
'documented, with attackers using fake PayPal alerts to gain '
'both personal and corporate access. The activity marks a '
'shift toward high-urgency financial themes, exploiting '
'trusted remote access software to evade detection.',
'impact': {'identity_theft_risk': 'High (if personal accounts were '
'compromised)',
'operational_impact': 'Potential full corporate compromise, '
'Unauthorized remote access',
'payment_information_risk': 'High (due to PayPal-themed phishing)',
'systems_affected': 'Corporate and personal devices with RMM tools '
'installed'},
'initial_access_broker': {'backdoors_established': 'LogMeIn Rescue, AnyDesk, '
'Scheduled task, Startup '
'shortcut',
'data_sold_on_dark_web': 'Potential (access may be '
'sold to APT actors)',
'entry_point': 'Personal PayPal account via '
'phishing email and social '
'engineering',
'high_value_targets': 'Corporate access via '
'personal account compromise'},
'investigation_status': 'Ongoing (as of advisory publication)',
'lessons_learned': 'Legitimate RMM tools can be weaponized to evade '
'detection. Attackers may use multiple RMM tools to reduce '
'detection likelihood. Persistence mechanisms (e.g., '
'scheduled tasks, startup shortcuts) can blend into '
'regular system activity. Phishing controls and user '
'training are critical in mitigating such threats.',
'motivation': 'Financial gain, Potential sale of access to APT actors for '
'ransomware deployment',
'post_incident_analysis': {'corrective_actions': ['Enhanced phishing controls',
'Restricted RMM tool access',
'Improved EDR monitoring',
'User training on social '
'engineering'],
'root_causes': ['Lack of phishing controls',
'Unrestricted RMM tool usage',
'Insufficient EDR monitoring',
'Social engineering '
'susceptibility']},
'recommendations': ['Tighten phishing controls',
'Restrict network access to common RMM ports',
'Avoid exposing remote services like RDP',
'Maintain offline backups',
'Assess risks of third-party RMM tools',
'Keep security software up to date',
'Reinforce user training as part of a zero-trust security '
'model'],
'references': [{'date_accessed': '2026-01-07',
'source': 'Cyberproof Advisory'},
{'source': 'Broadcom Research on RMM Tool Abuse'},
{'source': 'Remote Control Cybercrime: An RMM Protection Guide '
'for MSPs'}],
'response': {'enhanced_monitoring': 'Reinforced user training, Zero-trust '
'security model',
'incident_response_plan_activated': 'Managed Detection and '
'Response (MDR) team '
'identified suspicious '
'activity',
'recovery_measures': 'Offline backups, Assessment of third-party '
'RMM tool risks, Updated security software',
'remediation_measures': 'Tightening phishing controls, '
'Restricting network access to common '
'RMM ports, Avoiding exposure of remote '
'services like RDP'},
'title': 'Phishing-Led Intrusions Abusing Legitimate RMM Tools via Fake '
'PayPal Alerts',
'type': 'Phishing, Social Engineering, RMM Abuse',
'vulnerability_exploited': 'Lack of phishing controls, Unrestricted RMM tool '
'usage, Insufficient EDR monitoring'}