As the festive season kicks into gear, so too does the cybercriminal playbook.
We’ve noticed a spike in phishing attempts disguised as “pre-Christmas party invites”. While the festive spirit is infectious, so too is the threat. These aren’t just generic holiday greetings — they’re carefully crafted lures designed to hook users into downloading malware, often via links to malicious installers or fake login prompts.
This isn’t new. Cybercriminals are well aware of the seasonal rush — Black Friday, Cyber Monday, and the holiday rush all create the perfect storm for phishing. Expect to see emails promising “exclusive deals,” “failed transactions,” “refunds pending,” or “urgent login required.” These are classic tactics used to trigger urgency and bypass caution.
But here’s the twist — and the reason we’re raising the alarm: the tools they’re using are the same ones your MSP and IT teams rely on daily.
Attackers are now deploying ScreenConnect, LogMeIn Resolve, Naverisk, SimpleHelp, PDQ, and even Atera — the very same remote management tools many IT compamies use to support your clients, manage systems, and maintain uptime.
This isn’t a coincidence. It’s a calculated move.
What’s happening?
A persistent, highly active threat actor, first observed in April 2025, has evolved its tactics. Initially, they leveraged ScreenConnect as their primary foothold. By June 2025, they began incorporating SimpleHelp and by October 2025, LogMeIn Resolve and Naverisk were added to the mix — and now, multiple common IT suport tools are often installed sequentially, sometimes weeks after initial access.
Why? The theory is simple: redundancy. Resilience. Obfuscation.
By installing multiple tools, attackers create a layered, persistent access point. They can rotate tools to avoid detection, mask their presence behind legitimate admin software, and even disable security controls like Windows Defender using tools like Defender Control. Credential harvesting tools like WebBrowserPassView are also frequently deployed, all to extract data, maintain access, and maximise their return.
Analyst’s take:
This is not just a shift in tactics. It is a strategic evolution. The attackers are no longer relying on a single, easily detectable tool. Instead, they’re building a resilient, multi-tool infrastructure that mimics legitimate IT operations — making detection and attribution far more difficult.
The fact that they’re using tools your own suport team uses makes this even more concerning. It’s not just about access. It is about blending in, staying long-term, and exploiting the very systems you’re trying to protect.
What should you do?
- Be vigilant — especially during the holiday rush. Don’t click links in unsolicited emails, even if they look like they’re from your manager, a client, or a colleague.
- Verify before you click — use your own security tools or contact the sender directly to confirm legitimacy.
- Educate your teams — remind them that attackers are using tools they know — and that’s why they’re even more dangerous.
This isn’t a “maybe” or “possibly”. This is happening now.
Stay alert. Stay secure. And don’t let the holidays fool you. The real threat is lurking behind every festive email.
P.S. If you’ve received a suspicious “party invite” or any other email with a suspicious link — don’t click it. Forward it to us, and we’ll help you investigate.
Source: October 2025 | https://www.security.com/threat-intelligence/rmm-logmein-attacks