A new wave of phishing-led intrusions abusing legitimate remote monitoring and management (RMM) tools has been documented, with attackers using fake PayPal alerts to gain both personal and corporate access.
The activity, documented in an advisory published by Cyberproof on Tuesday, marks a shift away from seasonal lures toward high-urgency financial themes, while highlighting how trusted remote access software continues to be weaponized to evade detection.
Earlier waves relied on decoy messages such as holiday party invitations, tax notices or document signing requests. The latest incidents instead exploit fake PayPal warnings designed to provoke immediate action.
From Personal Accounts to Corporate Footholds
CyberProof researchers examined six incidents across customer environments, including one case in which an employee’s personal PayPal account served as the initial entry point.
On January 5 2026, the company’s Managed Detection and Response (MDR) team identified suspicious activity that later escalated into corporate access.
The attack began with a fraudulent PayPal email, followed by phone-based social engineering. Posing as support staff, the attacker convinced the victim to install legitimate remote access software.
LogMeIn Rescue was deployed first, before the threat actor pivoted to AnyDesk to maintain access. No endpoint detection and response (EDR) alerts were triggered during the intrusion.
Read more on RMM tool abuse and defense: Remote Control Cybercrime: An RMM Protection Guide for MSPs
RMM Redundancy and Security Recommendations
For context, attackers using one RMM tool to install another is a pattern also noted recently in research from Broadcom.
This approach appears intended to reduce the likelihood of detection and possibly to cycle through trial licences to avoid expiration.
Artifacts from these attacks included multiple LogMeIn Rescue binaries and confirmation of an active remote session.
Persistence was achieved through a scheduled task and a startup shortcut disguised with a Gmail-style name. The tactic was designed to blend into regular system activity and avoid raising suspicion during routine checks.
“While the immediate motivation behind this campaign appears financial, the long-term risk is significant,” Cyberproof warned.
“Access gained through these RMM ‘backdoors’ can be sold to Advanced Persistent Threat (APT) actors, leading to full corporate compromise or ransomware deployment.”
To tackle similar threats, the cybersecurity firm recommended tightening phishing controls, restricting network access to common RMM ports and avoiding the exposure of remote services such as RDP.
It also urged organizations to maintain offline backups, assess the risks of third-party RMM tools, keep security software up to date and reinforce user training as part of a zero-trust security model.
Image credit: Samuel Boivin / Shutterstock.com
