Phishing Campaign - Odd Malware Installations Observed
Basically, a phishing scam tricked users into installing malware disguised as helpful software.
A phishing campaign has led to the installation of RMM tools across over 80 organizations. This ongoing threat may indicate an access-as-a-service model. Immediate vigilance is required.
The Threat
A recent phishing campaign has targeted multiple organizations, leading to the installation of Remote Monitoring and Management (RMM) tools. This campaign, tracked by Sophos as STAC6405, has raised concerns due to its unusual behavior. The threat actor appears to be experimenting with access methods, potentially indicating an access-as-a-service model. The campaign began in April 2025, with significant activity noted in late 2025, affecting over 80 organizations primarily in the U.S.
The phishing emails often masqueraded as legitimate invitations, such as event invites or tender bids. These emails contained links to malicious binaries hosted on attacker-controlled sites. Notably, some of these sites used themes like Microsoft Teams or Norton to deceive users further. This clever tactic highlights the evolving nature of phishing attempts, making it essential for organizations to remain vigilant.
Who's Being Targeted
The campaign has predominantly affected organizations across various sectors, with a significant concentration in the United States. The use of trusted sender email addresses in some phishing attempts indicates a downstream compromise, further complicating detection efforts. The threat actor leveraged known and trusted identities to enhance the effectiveness of their phishing emails, leading to a higher likelihood of user engagement.
As the campaign appears to be ongoing, organizations must be aware of the potential for further attacks. The active phishing links suggest that the threat actor is still attempting to exploit unsuspecting users. This underscores the importance of educating employees about recognizing phishing attempts and maintaining security protocols.
Tactics & Techniques
The threat actor's approach involved using pre-existing installations of RMM tools to facilitate further malicious activities. After gaining initial access through the phishing links, they downloaded additional binaries, including an infostealer and other RMM tools. In one instance, the actor utilized a legitimate RMM tool, ScreenConnect, to deploy further malicious payloads.
The infostealer exhibited sophisticated behavior, including data theft capabilities such as harvesting browser-stored credentials and attempting to extract cryptocurrency wallet data. Additionally, it performed system reconnaissance to identify installed security products, potentially to evade detection. This multi-layered approach indicates a well-planned strategy aimed at maximizing the effectiveness of the attack.
Defensive Measures
Organizations should take immediate action to protect themselves from this ongoing threat. Here are some recommended steps:
- User Education: Train employees to recognize phishing attempts and suspicious emails.
- Email Filtering: Implement robust email filtering solutions to block malicious emails before they reach users.
- Regular Monitoring: Continuously monitor for unusual activity on networks and systems, particularly involving RMM tools.
- Incident Response Plans: Develop and maintain incident response plans to quickly address any potential breaches.
By adopting these measures, organizations can reduce their risk of falling victim to this evolving threat landscape. Staying informed and proactive is key to maintaining cybersecurity in the face of such sophisticated attacks.