Cybercriminals Shift Tactics: Group Deploys Multiple RMM Tools (ScreenConnect, LogMeIn, Naverisk) for Redundant Persistence and Access Resale
Ddos 
A highly active cybercriminal group has shifted tactics in a long-running campaign that abuses remote monitoring and management (RMM) software to infiltrate corporate environments. According to a new report from The Threat Hunter Team at Broadcom, the actor is now deploying multiple RMM tools across compromised networks—often weeks apart—to extend persistence and prepare systems for potential resale or deeper compromise.
The ongoing campaign, active since at least April 2025, demonstrates the threat actor’s increasing sophistication and determination to maintain long-term access inside victim organizations.
The attacks continue to begin with phishing emails containing malicious URLs leading to setup executables or MSI installers. The lure themes vary widely, and investigators observed the group “masquerading as holiday party invites, such as ‘Party Invitation’ or ‘December Holiday Party’.” Other phishing emails impersonated invoices, tax notices, overdue payment reminders, Zoom meeting reminders, and signature requests .
Once a victim clicks the link, the downloaded installer—sometimes digitally signed—loads the RMM payload that enables remote access.
Historically, the group relied almost exclusively on ScreenConnect to establish footholds. But recent activity reveals a major shift. As the report explains:
“A highly active threat actor … is now infecting its victims with multiple RMM tools, including LogMeIn Resolve and Naverisk.”
Since mid-2025, the actor has expanded its arsenal to include:
- ScreenConnect (ConnectWise)
- LogMeIn Resolve (GoTo Resolve)
- Naverisk
- SimpleHelp
- PDQ
- Atera
These tools are not always deployed at once. Instead, “one is used to install another and often a period of time can elapse between installations.”
This staggered deployment strategy enables the attackers to:
- establish persistence
- evade detection
- re-enter systems if one RMM tool is removed
- maintain multiple channels of remote access
Alongside the RMM packages, the attackers deploy a supporting toolkit designed to expand their access and weaken defenses. Broadcom’s report details several tools frequently observed:
- HideMouse.exe – hides the mouse cursor to disguise remote activity
- WebBrowserPassView – extracts credentials stored by web browsers
- Defender Control – disables Microsoft Defender
- Additional files such as Hidefromcontrolpanel, PhoneLinkLauncher, and Windowspasskey
The report notes that “the nature of the toolset suggested the attackers wanted to cover their tracks, disable security and harvest credentials for further exploitation.”
Examples from victim organizations show how the actor sequences RMM deployments over time:
- In one case, ScreenConnect was installed in August, followed by a second ScreenConnect instance in September, then LogMeIn Resolve the next day—each delivered through disguised installers such as document.clientsetup.msi and adobereaderdc.clientsetup.msi.
- In another intrusion, LogMeIn Resolve (Oct 31) was used to install ScreenConnect, which then deployed HideMouse and WebBrowserPassView. Several days later, Naverisk was also installed.
These multi-stage breaches illustrate the attacker’s evolving playbook: build foothold → deploy secondary RMMs → exfiltrate credentials → maintain long-term, redundant access.
The report warns:
“Given that the attackers are prioritizing persistent access and credential theft, the most likely explanation is that they are selling access to victims to other threat actors for further compromise, such as ransomware deployment.”
This aligns with the growing ecosystem of initial access brokers (IABs) who provide footholds inside corporate networks to ransomware gangs and other cybercriminals.
Donate