Rogue RMMs: RMM Abuse Has a New GoTo

Overview

  • Blackpoint‘s Adversary Pursuit Group (APG) is tracking a series of incidents involving consistent TTPs surrounding ScreenConnect and GoTo Resolve.
  • This campaign is hitting several verticals.
  • Within these incidents there are several consistencies: GoTo Resolve downloads ScreenConnect and winget.
  • ScreenConnect attempts to hit external domains.

Kill Chain

Blackpoint’s SOC observed the initial GoTo Resolve download sourcing from malicious downloads designed to trick users, such as fake calendar invites (ex. 232invite_s_8DDFF00C56FF12-3-0_c_w (1).exe). GoTo Resolve would then beacon to an external IP and download ScreenConnect, followed closely by WinGet.

Within the incidents identified, WinGet was pushed to either:

  • C:\Windows\SystemTemp\winget-export
  • C:\users\*user*\appdata\local\temp\winget-export

While WinGet is by GoToAssist’s patch management component and could be considered benign when this software and activity is expected, when it is observed in the context of suspicious or unexpected activity, it can be abused by threat actors to:

  • Deploy additional payloads silently.
  • Blend in with normal traffic.
  • Provide privilege escalation opportunities.

ScreenConnect would then attempt to connect to suspicious domains (see Domains section in IOCs).

This activity was consistent in nearly every identified incident. Blackpoint SOC also identified the following indicators in select incidents:

  • A scheduled task that would launch a GoTo Resolve service. The naming convention was consistent – GoToResolve_<nineteen digit number> starter
  • GoToResolve_7666661934651753493 starter
  • GoToResolve_6018368660074000147 starter

Tools like GoTo Resolve and GoToAssist have legitimate remote management purposes; however, when attackers gain access to an environment, these same tools offer them the same opportunities, including unattended remote access – which allows remote connection without approval, persistence, and a backdoor that appears as a normal IT process.

This could serve several purposes. Earlier this year, Blackpoint SOC observed a sharp increase in the abuse of ScreenConnect by threat actors. As a result of this abuse, security solutions began alerting on their download and installation. By installing ScreenConnect via another RMM that isn’t as heavily scrutinized by security software, they can avoid detections at higher rates, while still installing their RMM of choice. Additionally, by having two RMMs on the host, the threat actor has two methods of access, requiring security solutions to first identify their presence within the environment, and then identify their malicious use by threat actors.

While the exact goal of the campaign remains unclear, persistent access appears to be a primary goal. Access could be sold by initial access brokers or additional payloads dropped on infected systems.

Victimology

Blackpoint SOC observed this activity hitting 13 different verticals since the beginning of August. There does not appear to be a consistent target at this time.

Takeaway

While the full objective of this campaign remains unknown, the early activity discussed in this blog indicates that the deployment of unapproved RMM tools is not only used for persistence but may also serve multiple roles in the threat actor’s attack chain.

  • A form of initial access, giving threat actors immediate entry into the network without traditional exploits or loaders.
  • A built-in command and control channel, allowing interactive control of systems through a legitimate, trusted platform.
  • A persistence mechanism, where scheduled tasks or services ensure the RMM appliance automatically reinstates access after reboots.

Because these tools run signed, trusted code and mimic legitimate IT operations, they offer attackers a “shadow IT” foothold that can replace the need for custom malware.

There are actions that defenders can take to prevent and identify this activity within their environments.

  • Audit the use of RMMs within your environment.
  • Block the use of unwanted tools via Application Control Software, Blackpoint’s Managed Application Control (MAC), or prevent the installation of new software by users within Group Policy.
  • Implement inventory controls to ensure full visibility of installed software, prioritize risks, and respond more effectively to risks.
  • Ensure security solutions are tuned to detect unauthorized RMM installation.
  • Perform proactive threat hunts on the provided IOCs. 
  • Ensure users are aware of and can identify modern techniques such as fake calendar invites, fake updates, and Fake Captcha/ClickFix attacks.

IOCs

  • ScreenConnect IDs: 
    • a0854298238b2442 
    • e69d50b6ca31c3ec  
  • IPs:
    • 3.26.76[.]208
    • 34.202.6[.]108
    • 45.141.215[.]47:8041
    • 80.76.49[.]8
  • Domains:
    • server[.]kukujuju[.]online
    • wsecu[.]in
    • bterwqasdf[.]online
    • blog[.]alrvpanl[.]top
    • support[.]ssaconn3ct[.]info

Additional Resources 

DATE PUBLISHEDDecember 4, 2025
AUTHORMegan B.