Threat Advisories:
Lazarus Group’s New Comebacker Variant Targets Aerospace & Defense Threat Actors Turn RMM Tools into Backdoor Gateways CVE-2025-12480: Triofox Exploit Turns Trusted Access Into a Security Nightmare Microsoft’s November 2025 Patch Tuesday Roundup Telegram-Powered Credential Theft Campaign Sweeps Europe Critical Zero-Day Exposes Synology Devices to Remote Attacks APT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions I Paid Twice: Inside the Booking.com Phishing Fraud Return of Gootloader: Blending Technical Evasion with Operational Discipline Unmasking Airstalk’s Covert Supply Chain Intrusion WordPress Plugin Bug CVE-2025-11833 Hands Hackers the Admin Throne Silent Lynx APT: Espionage Operations Targeting Central Asia’s Critical Infrastructure SleepyDuck: Trojan Nesting in the Open VSX Marketplace Operation SkyCloak: Covert Cyber Strikes on Russian and Belarusian Military Personnel Typosquatted npm Packages Execute Stealthy CredentialTheft Operation Hijackloader Strikes Colombia with PureHVNC Vietnamese Actors Use Recruitment Lures for Espionage and Theft Qilin Ransomware Surge: A Growing Global Threat to Critical Sectors ClickOnce Deception: SideWinder’s New Path to Diplomats The Gift Card Grinch Uncovered in the Jingle Thief Campaign
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Threat Actors Turn RMM Tools into Backdoor Gateways

Amber | Attack Report
Download PDF

Threat Actors Turn RMM Tools into Backdoor Gateways – Critical Security Advisory

Summary

Remote Monitoring and Management (RMM) tools LogMeIn Resolve and PDQ Connect are being weaponized by threat actors to deploy PatoRAT malware through sophisticated supply chain attacks targeting organizations in Korea. This November 2025 threat campaign exploits legitimate RMM software capabilities, transforming trusted IT management tools into backdoor gateways for cybercriminals. Attackers distribute trojanized versions of popular utilities like Notepad++ and 7-Zip through fake download sites, secretly installing manipulated RMM tools that provide persistent remote access. The PatoRAT backdoor enables complete system compromise, including data theft, command execution, and credential harvesting. Organizations must immediately verify their RMM tool installations and enhance endpoint security to detect these living-off-the-land attacks.

Attack Details

RMM Tool Exploitation Campaign Overview

Recent cyberattacks have increasingly weaponized Remote Monitoring and Management tools, specifically targeting LogMeIn Resolve (GoTo Resolve) and PDQ Connect for malicious purposes. Threat actors distribute malware through fake websites mimicking legitimate software downloads, where unsuspecting users download trojanized versions of utilities like Notepad++ or 7-Zip bundled with compromised RMM tools. The attackers rebrand LogMeIn under multiple misleading names to evade detection while maintaining backdoor access.

LogMeIn Resolve Compromise Methodology

LogMeIn Resolve, a trusted RMM platform for remote support and endpoint monitoring, becomes a perfect attack vector due to its legitimate capabilities that bypass traditional security controls. Security researchers discovered internal configuration files exposing three unique “CompanyId” values linked to attackers, indicating coordinated misuse across multiple campaigns. Once the trojanized LogMeIn instance installs, it automatically registers within LogMeIn’s infrastructure, granting threat actors remote access to execute PowerShell commands and deploy PatoRAT malware without triggering security alerts.

PDQ Connect and PatoRAT Deployment

Both PDQ Connect and LogMeIn Resolve serve as delivery mechanisms for PatoRAT, a sophisticated Delphi-based backdoor enabling remote control and data exfiltration. PDQ Connect’s extensive device management features, including software deployment and remote administration capabilities, allow attackers to execute arbitrary commands silently. The PatoRAT malware contains Portuguese-language log messages and stores its configuration in XOR-encrypted blocks using simple 0xAA keys, revealing command-and-control addresses, mutex values, and operational flags upon decryption.

PatoRAT Backdoor Capabilities

PatoRAT establishes persistent backdoor access by sending initial system information to command-and-control servers before awaiting further instructions. This remote access trojan enables attackers to execute commands, exfiltrate sensitive data, deploy additional payloads, capture keystrokes, steal browser credentials, and maintain long-term persistence. The malware’s simple encryption and use of legitimate RMM platforms make detection extremely challenging for traditional antivirus solutions.

Recommendations

Essential Security Measures

Download Software Only From Official Sources: Verify all software downloads come from official vendor websites or trusted app stores. Avoid downloading applications from pop-ups, advertisements, or unfamiliar sites even if they appear legitimate. Double-check URLs and digital certificates before installation.

Verify Installation Packages: Before running any installer, examine file names, version numbers, and digital certificates carefully. Suspicious indicators include unexpected names, missing signatures, or unusual file properties that don’t match official releases.

Exercise Caution With Free Utility Downloads: Attackers frequently disguise malware as popular free tools including Notepad++, 7-Zip, and other utilities. Always download these applications directly from their official websites rather than third-party sources.

Maintain Updated Security Systems: Regular updates patch security vulnerabilities and provide antivirus solutions with latest threat definitions. Enable automatic updates wherever possible to ensure continuous protection against emerging threats.

Deploy Advanced Endpoint Protection: Implement next-generation antivirus (NGAV) and endpoint detection & response (EDR) solutions to identify suspicious RMM tool behavior. Leverage behavioral analysis and machine learning-based detection to spot malicious activity patterns.

Indicators of Compromise (IOCs)

Malicious File Hashes

MD5 Hashes:

  • 04547ab017b84bc1934b39513fd8bad2
  • 082823d138f9da9b085be91161c3cd04
  • 17f1080ba64740c0b218e76b0bddb1e2
  • 2638281ba875fce2fb2f595a7e8cf1fa
  • 299b22f03a0affcb1ed74889c0c7e436

SHA256 Hashes:

  • cfef3afccf056917d4798aa605698d7bfdd34418d5baebcb7a1a43274aec4ef2
  • 9d3108ff2c392bbdc20de6c820ab6d804a414267e75bd6c048bc3ea5efacde7b
  • 41b85fe30ab72844033130e3732369f274a47935da7adb0b141b1502188a39de
  • a42ce45d065807468704b02e869ee71b058c2cffa02e4955863b3a7cdd602ea7
  • a92c547352a9c23acea1de16c82c8b3b0bf91a18b4df4c1c44fc097fef62d6c9
Malicious URLs and Domains

Command-and-Control Domains:

  • lastdance[.]mysynology[.]net
  • masterpanel[.]webredirect[.]org
  • patolino[.]theworkpc[.]com
  • secondfloor[.]dynuddns[.]com

Malicious Download URLs (defanged):

  • hxxps[:]//bithumb-19-10[.]netlify[.]app
  • hxxps[:]//chatg31-10[.]netlify[.]app/chatgpt[.]exe
  • hxxps[:]//chatgpt-30-10[.]netlify[.]app/ChatGpt[.]exe

MITRE ATT&CK TTPs

Tactics and Techniques Observed

Execution (TA0002):

  • T1059: Command and Scripting Interpreter
  • T1059.001: PowerShell
  • T1204: User Execution

Defense Evasion (TA0005):

  • T1036: Masquerading
  • T1027: Obfuscated Files or Information
  • T1140: Deobfuscate/Decode Files or Information

Credential Access (TA0006):

  • T1056: Input Capture
  • T1056.001: Keylogging
  • T1555: Credentials from Password Stores
  • T1555.003: Credentials from Web Browsers

Discovery (TA0007):

  • T1033: System Owner/User Discovery
  • T1082: System Information Discovery
  • T1614: System Location Discovery

Collection (TA0009):

  • T1113: Screen Capture

Command and Control (TA0011):

  • T1219: Remote Access Tools
  • T1041: Exfiltration Over C2 Channel

References

Source Documentation

https://asec.ahnlab.com/en/90968/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox