Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In Operation DoppelBrand, financially motivated actor GS7 spoofed Fortune 500 financial and technology brands (including Wells Fargo and USAA) using more than 150 lookalike domains to harvest credentials and exfiltrate data via attacker-controlled Telegram bots; researchers also identified nearly 200 additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign.
Separately, Forcepoint X-Labs described a wave of emails impersonating the U.S. Social Security Administration that delivers an attached .cmd script to weaken Windows defenses and enable silent installation of ConnectWise ScreenConnect. The script checks/elevates privileges, disables Windows SmartScreen via registry changes, removes Mark-of-the-Web, and uses Alternate Data Streams (ADS) for stealth before installing an MSI and configuring ScreenConnect (via System.config) to beacon to an attacker-controlled server (reported as dof-connecttop on port 8041). Both activity sets highlight a recurring tradecraft pattern: brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling (e.g., LogMeIn Resolve, ScreenConnect) to gain remote control and facilitate follow-on theft or persistence.
Timeline
Feb 18, 2026
SOCRadar attributes Doppelbrand to threat actor GS7
SOCRadar attributed Operation Doppelbrand to a financially motivated threat actor tracked as GS7 and assessed the campaign's automated infrastructure, brand impersonation, and RMM abuse as especially dangerous. The findings were publicly reported after the campaign's December 2025 to January 2026 activity window.
Feb 17, 2026
Researchers link ScreenConnect campaign to Iranian network infrastructure
Analysis of the ScreenConnect campaign found the installed client configured to call back on port 8041 to infrastructure associated with the Aria Shatel Company Ltd network in Iran. Researchers also noted use of ScreenConnect version 25.2.4.9229 signed with a revoked certificate.
Feb 17, 2026
Forcepoint observes ScreenConnect phishing campaign using SSA lures
Forcepoint X-Labs reported a wave of attacks targeting organizations in the UK, US, Canada, and Northern Ireland with phishing emails impersonating the U.S. Social Security Administration. The emails carried malicious .cmd attachments that weakened Windows protections, disabled SmartScreen, removed Mark-of-the-Web protections, and then installed ConnectWise ScreenConnect for persistent remote access.
Jan 31, 2026
Attackers run Doppelbrand through January with broad phishing infrastructure
Through January 2026, the Doppelbrand campaign continued using more than 150 lookalike domains and delivered legitimate RMM tools such as LogMeIn Resolve, along with MSI installers and VBS loaders for stealthy installation, privilege escalation, and persistence. Researchers later identified roughly 200 additional related domains sharing common registration and DNS patterns.
Dec 1, 2025
Operation Doppelbrand begins spoofing Fortune 500 brands
A phishing campaign later dubbed Operation Doppelbrand began in December 2025, impersonating major financial, technology, and insurance brands including Wells Fargo and USAA. The operation used lookalike domains to harvest credentials and exfiltrate stolen data through attacker-controlled Telegram bots.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Phishing Campaigns Abuse Digital Invites and Fake Meeting Pages to Steal Credentials and Deploy RMM Tools
Threat actors are abusing the familiarity of **digital invitation and meeting platforms** to increase phishing success rates. Cofense reported malicious *Punchbowl/Paperless Post*-themed invitations that prompt recipients to “log in to view event details,” then redirect to phishing infrastructure offering branded sign-in options (e.g., **Microsoft, Yahoo, AOL, Google, Dropbox**) to harvest credentials. The phishing flow may solicit multiple credential sets by returning fake login errors and urging users to try alternate accounts; submitted credentials are exfiltrated to attacker-controlled domains, often leveraging newly registered domains to evade reputation-based defenses. Separately, Netskope research (reported by KnowBe4) described **fake video meeting invites** for *Zoom, Microsoft Teams, Google Meet,* and similar services that lead to spoofed “join meeting” pages showing purported coworkers already on the call. Victims are instructed to install a required “update” to join; the payload is a **digitally signed remote monitoring and management (RMM) tool** such as *Datto RMM, LogMeIn,* or *ScreenConnect*, enabling remote access and potential follow-on activity including data theft or deployment of additional malware. The use of legitimate, signed RMM software can blend into normal enterprise traffic and may bypass controls where such tools are pre-approved.
1 months ago
Operation DoppelBrand Phishing Campaign Impersonating Fortune 500 Brands
SOCRadar reported a long-running phishing operation dubbed **Operation DoppelBrand**, attributed to a financially motivated actor tracked as **GS7**, that uses high-fidelity replicas of Fortune 500 and major consumer brands to harvest credentials and enable follow-on access. The activity observed most recently (Dec 2025–Jan 2026) impersonated major financial and technology organizations (including **Wells Fargo, USAA, Navy Federal Credit Union, Fidelity, Microsoft, and Citibank**) and relied on a highly automated domain and infrastructure pipeline, with researchers identifying **hundreds of malicious domains** and **150+ newly identified domains** following consistent patterns. The operation is assessed as monetization-focused, with GS7 linked to trading stolen credentials and access in underground markets and using **Telegram bots** for credential handling/exfiltration; reporting also notes abuse of legitimate remote management tooling to help establish persistence after credential capture. Dark Reading’s coverage of the SOCRadar findings emphasized the campaign’s effectiveness stemming from near-perfect portal impersonation and rapid infrastructure rotation, increasing the likelihood of successful credential theft against both enterprises and their customers. For defenders, the reporting highlights the need to treat this as an ongoing, scalable credential-harvesting and initial-access operation: prioritize monitoring for lookalike domains and brand-abuse infrastructure, strengthen anti-phishing controls around customer/employee authentication flows, and review remote management tool governance to reduce the impact of stolen credentials being converted into durable access.
1 months ago
Spearphishing Campaigns Abuse PDF and Windows Screensaver Files to Install Legitimate RMM Tools
Threat actors have been observed using spearphishing lures and *non-traditional* attachment types—particularly Windows screensaver (`.scr`) executables—to trick users into running code that silently installs legitimate **remote monitoring and management (RMM)** agents (e.g., **SimpleHelp**). ReliaQuest research described business-themed filenames (e.g., `InvoiceDetails.scr`, `ProjectSummary.scr`) delivered via links hosted on legitimate cloud services (e.g., GoFile), with the `.scr` format helping bypass controls that don’t treat screensavers as executables. Once installed, the RMM tooling provides interactive remote access that can enable data theft, lateral movement, and follow-on payload deployment, including ransomware, while blending into normal IT administration traffic. Separately, researchers also reported a spam operation using **fake PDF attachments** that display an error message and redirect victims to a lookalike *Adobe Acrobat* download flow, but instead installs trusted, digitally signed RMM software to establish persistent access. A different phishing campaign used a multi-stage **PDF chain** hosted on reputable infrastructure (e.g., **Vercel Blob**) to redirect victims to a credential-harvesting page and exfiltrate stolen data via a **Telegram bot**, emphasizing how attackers are increasingly abusing high-reputation cloud platforms and document-based lures to evade email and web filtering (including scenarios where the initial email contains no malicious link and can pass SPF/DKIM/DMARC checks).
1 months ago