Delphi PatoRAT Backdoor Hijacks LogMeIn Resolve and PDQ Connect RMM Tools for Full System Takeover
Ddos 
Download page of Digestive Utility | Image: ASEC
Researchers from the AhnLab Security Intelligence Center (ASEC) have uncovered a new malware campaign exploiting Remote Monitoring and Management (RMM) tools — namely LogMeIn Resolve (GoTo Resolve) and PDQ Connect — to install a Delphi-based backdoor known as PatoRAT.
According to AhnLab, the attacks disguise malware as legitimate software downloads, tricking users into installing remote management tools preconfigured to connect to attacker-controlled infrastructure.
Once installed, these tools allow threat actors to execute PowerShell commands remotely and deploy the PatoRAT backdoor, enabling full system compromise.
ASEC’s investigation revealed that the malicious LogMeIn installers were distributed under fake filenames mimicking popular utilities, including notepad++.exe, 7-zip.exe, winrar.exe, Microsoft.exe, and even chatgpt.exe.
“The user seems to have accessed the website through an unknown path and installed LogMeIn Resolve from the following download page,” the report explained. “These websites disguise themselves as the download page of free utilities such as Notepad++ and 7-Zip, but actually download the threat actor’s LogMeIn Resolve.”
LogMeIn Resolve and PDQ Connect are legitimate enterprise tools widely used for remote system administration and patch management. Because these applications are signed, trusted, and used in corporate environments, they can easily bypass firewalls and antivirus defenses when abused by threat actors.
ASEC notes that threat actors configured their own administrator IDs, known as CompanyId, in the LogMeIn installation packages to seize control once victims installed the application.
“For LogMeIn Resolve, the internal configuration file contains the information of the administrator or threat actor,” the report said. “In the attack campaigns identified in Korea, three different ‘CompanyId’ values were used.”
Once deployed, the attackers used these RMM tools to execute PowerShell commands that installed PatoRAT, the final-stage malware payload.
The PatoRAT malware — named after its internal identifier strings such as “patolino” — is a Delphi-compiled remote access Trojan (RAT) with wide-ranging espionage and control capabilities.
“The ultimate malware installed by the threat actor using LogMeIn Resolve and PDQ Connect is PatoRAT,” ASEC explained. “Developed in Delphi, PatoRAT is a backdoor that supports features such as remote control and information theft. Internal strings such as debug logs are written in Portuguese.”
The malware’s configuration is XOR-encrypted and contains key operational data, including its clientTag, mutex name, and a list of command-and-control (C&C) servers.
Upon execution, PatoRAT transmits detailed system information to its C&C servers, including:
- Computer name and user name
- Operating system version
- Memory usage and screen resolution
- Active window titles
- Execution privileges
ASEC’s analysis shows that the malware supports a comprehensive set of commands, including remote mouse and keyboard control, PowerShell execution, screen capture, keylogging, file uploads/downloads, and web browser credential theft.
“Afterward, the following commands can be supported according to the C&C server’s instructions,” the researchers said, listing capabilities such as mouse control, PowerShell execution, remote desktop (HVNC), keylogging, and browser credential theft.
While ASEC has not yet attributed the campaign to a known threat group, the Portuguese-language debug strings in PatoRAT and its Delphi codebase suggest a possible connection to Brazilian or Latin American cybercrime groups, which have a history of developing custom RATs.
Related Posts:
- LogMein DNS traffic possession malware targeting attack PoS system
- PDQ Deploy Vulnerability Exposes Admin Credentials: CERT/CC Issues Advisory
- Legitimate Remote Tools Weaponized in Sophisticated Spam Campaign
- RMM Tools: The New Weapon of Choice for Cybercriminals
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
