What happened
The fake Notepad++ and 7-Zip distribution campaign used fraudulent websites that mimicked legitimate download pages to trick users into installing remote monitoring and management tools. Threat actors drove traffic to these spoofed sites through advertisements or search engine manipulation, presenting pages that closely replicated official software distribution layouts. When users attempted to download Notepad++ or 7-Zip, the sites instead delivered legitimate RMM software such as LogMeIn Resolve and PDQ Connect. Once installed, these tools registered with their normal infrastructures and provided attackers remote control capabilities, including remote command execution. ASEC analysts reported an increase in attacks using RMM tools as the initial access mechanism and documented cases where attackers used the installed RMM to execute PowerShell commands and deploy additional malware, including PatoRAT, creating multiple avenues for compromise and data theft.
Who is affected
End users and organizations whose employees download software from unofficial sources are directly affected if RMM tools are installed. Exposure is direct on infected endpoints and indirect if remote access enables attackers to move laterally within enterprise networks.
Why CISOs should care
Using legitimate RMM software for initial access can bypass traditional malware defenses and blends into expected administrative activity, complicating detection and response. The tactic can accelerate hands-on-keyboard intrusion, persistence, and staged malware deployment while leveraging trusted infrastructure.
3 practical actions
- Restrict unauthorized RMM tooling: Block or require explicit approval for LogMeIn Resolve, PDQ Connect, and similar tools via application control and EDR policy.
- Enforce trusted software acquisition: Require installs only from verified vendor channels and implement browser/DNS controls to reduce exposure to spoofed download domains.
- Monitor for suspicious RMM onboarding: Alert on new RMM agent registrations, unusual PowerShell execution via RMM sessions, and unexpected remote control activity on user endpoints.