The “Special Invitation” Trap: STAC6405 Abuses Legitimate RMM Tools to Hijack Your PC
Ddos 
LogMeIn Resolve is installed | Image: Sophos
Cybercriminals are increasingly trading custom-built malware for legitimate software to slip past corporate defenses. A new investigation by Sophos’ Managed Detection and Response (MDR) team has detailed a widespread phishing campaign, tracked as STAC6405, that tricks users into installing remote management tools to grant attackers “unattended access” to their systems.
The campaign, which has been active since at least April 2025, primarily targets organizations in the United States. Attackers use highly polished social engineering tactics, often masquerading as trusted contacts or popular event platforms.
- Compromised Accounts: Some emails are sent from hacked third-party accounts belonging to “known and trusted senders”.
- The “Punchbowl” Tactic: Many messages mimic Punchbowl event invitations with subject lines like “SPECIAL INVITATION” or prompts to bid for business tenders.
- Brand Mimicry: Distribution sites frequently shift their appearance, moving from Microsoft Teams themes to Norton branding to appear legitimate to different users.
Instead of traditional viruses, the primary payload is LogMeIn Resolve (formerly GoToResolve) or ScreenConnect. These are legitimate Remote Monitoring and Management (RMM) tools used by IT departments worldwide. When a victim clicks the link and runs the installer, they aren’t RSVPing to a party—they are handing over the keys to their computer.
As Sophos researchers noted:
“These distribution sites hosted legitimate LogMeIn Resolve binaries, preconfigured to register the targeted device to an attacker-owned account”.
Once installed, the attacker gains “unattended remote access,” allowing them to control the device at any time without the user’s knowledge.
While many attacks stopped after gaining access, Sophos observed more aggressive behavior in several cases. In one instance, attackers used a HeartCrypt packer to deploy a “HideMouse.exe” utility. This tool creates a transparent cursor, effectively making the attacker’s mouse movements invisible so they can browse a victim’s files without being noticed.
The secondary stage of these attacks often involves:
- Information Theft: Harvesting browser credentials, session artifacts, and cryptocurrency wallet data.
- System Reconnaissance: Using WMI queries to find installed security products or imaging devices.
- Living off the Land: Injecting malicious code into csc.exe, a legitimate Microsoft executable, to evade detection.
The STAC6405 campaign reflects a broader shift in the threat landscape. According to the 2026 Sophos Active Adversary Report, nearly 67% of all incidents investigated last year were rooted in identity-related attacks, such as phishing and credential abuse.
“This campaign reflects a growing trend in phishing operations: abuse of trusted third-party relationships and infrastructure to establish initial access, and abusing legitimate tools rather than deploying malware,” the report concludes.
To protect your organization, experts recommend implementing phishing-resistant multi-factor authentication (MFA) and closely monitoring for unauthorized RMM software—especially if it arrives via a “special invitation”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
