Your IT Support Tool Is Now a Burglary Kit: How STAC6405 Is Weaponising Legitimate RMM Software
A phishing campaign does not need to deploy malware if it can instead deploy your own IT infrastructure against you. That is the operating principle behind STAC6405, a threat activity cluster documented by Sophos X-Ops that has been quietly compromising organisations since at least April 2025.
The technique is precise and, from a detection standpoint, deeply uncomfortable. Attackers send phishing emails containing a link to a legitimate LogMeIn Resolve installer: the same remote monitoring and management software used by IT teams and managed service providers worldwide. The installer is genuine. What is not genuine is the account it connects to. The binary is pre-configured to register the victim’s device to an account owned and controlled by the attacker. Once the user clicks and runs the file, the attacker has full, unattended remote access to that machine. No malware signature. No exploit. No obvious alert.
Sophos identified over 80 affected organisations, predominantly in the United States, across multiple industry sectors. The earliest evidence dates to April 2025, with the bulk of malicious activity concentrated in October and November of that year. As of the publication of the Sophos report, some of the campaign’s phishing infrastructure remained active.
The Lure and the Delivery Chain
Phishing emails arrived from two distinct source types. Some were sent from compromised third-party email accounts belonging to contacts already known and trusted by the recipient, indicating a downstream compromise of a supplier or partner. Others came from entirely unknown senders. The first category is significantly more dangerous. An invitation arriving from a colleague’s real email address, sent from their actual account, passes most human scepticism tests.
Many of the lures were designed to resemble Punchbowl event invitations, carrying subject lines such as “SPECIAL INVITATION”. Others mimicked tender solicitation notices. The file names reinforced the deception: Invitation.exe, ContractAgreementToSign.exe, SPCL_INVITE_RSVP_2025.exe. Each one named to look like a document, each one an RMM installer.
The distribution infrastructure rotated over time. The threat actor shifted between themed landing pages including a Microsoft Teams-branded site and a Norton security software-branded site, possibly adjusting delivery based on user location or browser characteristics. This kind of adaptive infrastructure management is a signal of operational maturity. This is not a static campaign running on autopilot.
Once executed, the installer wrote a configuration file to disk with a hard-coded relay domain controlled by the attacker, and registered a Windows service with a unique identifier tied to that specific configuration. The attacker then had unattended remote access to the victim device via the LogMeIn Resolve platform.
What Happened Next: Two Outcomes
In the majority of cases, the attack appeared to stop at the point of RMM installation. The threat actors remained dormant, consistent with initial access broker behaviour: acquiring access and then selling it on criminal marketplaces for others to exploit. The access was the product. The victim organisation became inventory.
In two observed incidents, the attackers moved quickly to a second stage.
Incident one. Less than an hour after the initial LogMeIn installation, the threat actor used a pre-existing ScreenConnect installation on the victim machine to download a ZIP archive packed with the HeartCrypt Packer-as-a-Service tool. The archive contained two files: HideMouse.exe, which replaces the visible mouse cursor with a transparent one to conceal remote on-screen activity from the user, and a second executable assessed as behaviourally similar to ValleyRAT.
The mouse-hiding utility deserves a moment’s attention. An attacker operating remotely on a machine whose owner is present at the desk needs to conceal their activity. Making the cursor invisible achieves exactly that. The victim sees nothing moving. The attacker works unobserved.
Once executed, the infostealer sat idle for four to nine minutes, a deliberate delay designed to bypass automated sandbox analysis and heuristic detection, before injecting code into csc.exe, a legitimate Microsoft binary commonly abused as a living-off-the-land binary. The malware then connected to a command-and-control server and began harvesting browser-stored credentials, session tokens, cryptocurrency wallet data, and system details. An encrypted payload was decrypted at runtime using TripleDES cryptography.
Incident two. Rather than LogMeIn, the downloaded tool was ScreenConnect, pre-configured to connect to an attacker-controlled relay. The binary also started a Java-based remote access payload inside a bundled Java Runtime Environment, and the attacker began enumerating firewall rules before Sophos and the affected organisation successfully contained the breach.
Enumerating firewall rules is a pre-movement behaviour. The attacker was preparing to move laterally across the network. Containment stopped that. Without it, the blast radius would have expanded considerably.
Why This Works and Why Detection Is Hard
The technique’s effectiveness rests on a specific property of legitimate RMM tools: they are designed to look like normal software, because they are normal software. Your endpoint protection does not flag a genuine LogMeIn installer. Your firewall does not block LogMeIn’s relay traffic, because your IT team uses LogMeIn. Your monitoring systems see an RMM connection and, unless you are looking specifically for unrecognised account registrations, they see nothing unusual.
This is the living-off-the-land principle extended to the procurement catalogue. Rather than writing malware that might be detected, the attacker installs software from a vendor you probably already trust, configured to their specification.
For UK SMBs, the supply chain dimension compounds the risk. Some of the phishing emails in this campaign originated from compromised accounts belonging to known contacts. If a supplier or partner organisation has been compromised, the attacker inherits their trusted sender status. An email from your accountant’s genuine address, inviting you to review a tender document, is a highly plausible lure. The social engineering cost is near zero because the trust relationship already exists.
How to Turn This Into a Competitive Advantage
Businesses that can demonstrate audited, controlled use of remote access tooling are increasingly differentiated in procurement and supply chain security assessments. This is a gap most SMBs have not yet closed.
Build an authorised RMM register. Document every remote access tool installed across your estate: which product, which version, which account it connects to, who authorised the installation, and when it was last reviewed. This register serves dual purposes: it is a security control and it is evidence of due diligence you can present to clients and insurers.
Make unauthorised RMM installation a supplier risk question. If you are completing supplier questionnaires or running a third-party risk programme, add a question about remote access tool inventory and application control policy. Suppliers who cannot answer this question clearly are a supply chain risk, as this campaign demonstrates.
Use application control as a differentiator. Organisations that can say they operate an application allowlist, blocking unauthorised software installations including RMM tools, are demonstrably more mature than those that do not. This is now a question on many cyber insurance renewal forms. Getting ahead of it is cheaper than explaining to an underwriter why you did not.
How to Sell This to Your Board
The STAC6405 campaign makes three arguments for the board that are difficult to dismiss.
The threat uses your own tools. This is not a sophisticated zero-day attack requiring specialised exploitation capability. It is your remote desktop software, configured by someone else, installed by your own staff. The defence is not a new technology purchase. It is a policy and an audit. Both have bounded costs.
The initial access broker model means delayed consequences. In most of the 80+ cases Sophos observed, nothing happened immediately after the RMM was installed. The access was sold. The consequences arrived later, from a different threat actor with different objectives. This matters to the board because the window between compromise and detection can be weeks or months, during which the organisation has no visibility of its exposure.
UK GDPR and cyber insurance both have something to say about this. If credentials harvested through an RMM compromise lead to unauthorised access to systems holding personal data, that is a reportable breach. If your cyber insurance policy requires you to maintain an authorised software list and you cannot demonstrate one, a claim may be contested. Both risks are concrete and quantifiable.
What This Means for Your Business
-
Audit every RMM tool on your network today. Identify every instance of LogMeIn, ScreenConnect, AnyDesk, TeamViewer, and any other remote access product installed across your devices. For each one, verify which account it connects to and confirm that account belongs to your organisation or your authorised IT provider.
-
Remove RMM tools not in active use. If your business does not use remote access software, uninstall anything present. If you use one specific tool through your MSP, every other RMM product on your estate is an unauthorised installation and should be removed.
-
Implement an application control policy. Block the installation of software not on an approved list. This is a Cyber Essentials requirement for managed devices. If you are not yet at this level of control, work with your IT provider to get there. Prevent users from installing executables from email links as a minimum.
-
Train staff on invitation-themed lures specifically. The subject lines “SPECIAL INVITATION” and “tender solicitation” are known indicators for this campaign. Staff should treat any email asking them to download and run a file with scepticism, even when the sender appears to be someone they know. Verify by phone before clicking.
-
Review your MSP’s RMM security posture. If you use a managed service provider, ask them which remote access tools they use, how they authenticate into your environment, and what controls prevent their own tools being used against you. A reputable provider will have clear answers. Vague responses are a flag.