Greenvelope and LogMeIn: Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Cyberattackers Exploit Stolen Credentials and Legitimate RMM Tools for Persistent Access

Cybersecurity researchers at KnowBe4 Threat Labs have uncovered a sophisticated dual-phase campaign in which threat actors abuse stolen credentials to deploy trusted Remote Monitoring and Management (RMM) software, turning it into a persistent backdoor for unauthorized access.

The attack begins with phishing emails disguised as invitations from Greenvelope, a legitimate digital invitation platform. These fraudulent messages contain malicious links that harvest login credentials for Microsoft Outlook, Yahoo!, and AOL accounts. Once obtained, the attackers move to the second phase registering with LogMeIn using the compromised email to generate RMM access tokens.

The threat actors then deploy a signed executable, GreenVelopeCard.exe, which silently installs LogMeIn Resolve (formerly GoTo Resolve) and connects to an attacker-controlled server. The malware modifies service settings to grant unrestricted Windows access and creates hidden scheduled tasks, ensuring the RMM tool relaunches even if manually terminated.

By weaponizing legitimate IT tools, the attackers bypass traditional security defenses, making detection more challenging. Organizations are advised to monitor for unauthorized RMM installations and unusual usage patterns to mitigate such threats.

Source: https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html

Greenvelope TPRM report: https://www.rankiteo.com/company/greenvelope-llc

LogMeIn TPRM report: https://www.rankiteo.com/company/logmein

"id": "grelog1769181925",
"linkid": "greenvelope-llc, logmein",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'type': 'Organizations using Microsoft Outlook, '
                                'Yahoo!, or AOL accounts'}],
 'attack_vector': 'Phishing emails, Malicious links, Stolen credentials',
 'data_breach': {'personally_identifiable_information': 'Email account '
                                                        'credentials',
                 'sensitivity_of_data': 'High (email account credentials)',
                 'type_of_data_compromised': 'Login credentials'},
 'description': 'Cybersecurity researchers at KnowBe4 Threat Labs have '
                'uncovered a sophisticated dual-phase campaign in which threat '
                'actors abuse stolen credentials to deploy trusted Remote '
                'Monitoring and Management (RMM) software, turning it into a '
                'persistent backdoor for unauthorized access. The attack '
                'begins with phishing emails disguised as invitations from '
                'Greenvelope, a legitimate digital invitation platform. These '
                'fraudulent messages contain malicious links that harvest '
                'login credentials for Microsoft Outlook, Yahoo!, and AOL '
                'accounts. Once obtained, the attackers move to the second '
                'phase registering with LogMeIn using the compromised email to '
                'generate RMM access tokens. The threat actors then deploy a '
                'signed executable, GreenVelopeCard.exe, which silently '
                'installs LogMeIn Resolve (formerly GoTo Resolve) and connects '
                'to an attacker-controlled server. The malware modifies '
                'service settings to grant unrestricted Windows access and '
                'creates hidden scheduled tasks, ensuring the RMM tool '
                'relaunches even if manually terminated. By weaponizing '
                'legitimate IT tools, the attackers bypass traditional '
                'security defenses, making detection more challenging.',
 'impact': {'data_compromised': 'Login credentials for Microsoft Outlook, '
                                'Yahoo!, and AOL accounts',
            'identity_theft_risk': 'High',
            'operational_impact': 'Unauthorized persistent access, potential '
                                  'data exfiltration',
            'systems_affected': 'Windows systems with LogMeIn Resolve '
                                'installed'},
 'initial_access_broker': {'backdoors_established': 'LogMeIn Resolve (RMM '
                                                    'tool) as a persistent '
                                                    'backdoor',
                           'entry_point': 'Phishing emails disguised as '
                                          'Greenvelope invitations'},
 'lessons_learned': 'Organizations should monitor for unauthorized RMM '
                    'installations and unusual usage patterns to mitigate such '
                    'threats.',
 'post_incident_analysis': {'corrective_actions': 'Monitor for unauthorized '
                                                  'RMM installations and '
                                                  'unusual usage patterns',
                            'root_causes': 'Stolen credentials, abuse of '
                                           'legitimate RMM tools'},
 'recommendations': 'Monitor for unauthorized RMM installations and unusual '
                    'usage patterns.',
 'references': [{'source': 'KnowBe4 Threat Labs'}],
 'response': {'enhanced_monitoring': 'Monitor for unauthorized RMM '
                                     'installations and unusual usage patterns',
              'third_party_assistance': 'KnowBe4 Threat Labs'},
 'title': 'Cyberattackers Exploit Stolen Credentials and Legitimate RMM Tools '
          'for Persistent Access',
 'type': 'Phishing, Credential Theft, RMM Abuse'}