Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Phishing Campaign Abuses eCards to Deploy RMM Tools

July 15, 2026

Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

July 15, 2026

Compromised Logins Surge as the Most Common Entry Point for Ransomware

July 15, 2026
Facebook X (Twitter) Instagram
Wednesday, July 15
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Phishing Campaign Abuses eCards to Deploy RMM Tools
News

Phishing Campaign Abuses eCards to Deploy RMM Tools

Team-CWDBy Team-CWDJuly 15, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A six-month phishing operation has been tricking Windows and macOS users into installing legitimate remote monitoring and management (RMM) software through fake electronic greeting cards (eCards).

According to new research published by Forescout on July 14, the campaign, which it dubbed SeasonalInvite, has been active since at least January 2026 and was still serving payloads in late June.

Its defining trait is a rotating set of lures pegged to the calendar, moving from tax and Social Security themes in winter to Valentine’s, Easter and spring invitations later on.

The researchers identified 959 domains used in phishing emails and poisoned search results. Victims were screened by a traffic distribution system (TDS) before reaching a page impersonating greeting card service BlueMountain, which displayed a loading animation and, after three seconds, automatically downloaded an operating-system-specific installer.

Read more on RMM abuse: New Phishing Campaign Abuses ConnectWise ScreenConnect to Take Over Devices

Legitimate Tools, Attacker Consoles

The investigation confirmed abuse of four commercially signed RMM products: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya and German tool O&O Syspectr. Because the installers were genuine and validly signed, they passed security checks that would flag conventional malware.

On Windows, batch and VBScript droppers fetched an installer and relaunched themselves to trigger a User Account Control (UAC) prompt, so the victim was asked to approve the privileged install rather than having it bypassed.

The macOS path split the delivery in two, pairing a signed Kaseya package with a separate config.data file that redirected enrollment to the attacker’s server, abusing an unattended-deployment feature built for managed service providers.

Each landing page also quietly harvested the visitor’s IP address, city and browser and posted them to a backend, giving the operator a record of everyone who reached the page.

Signs of an AI-Assembled Kit

The phishing pages carry indicators of AI-generated code, including emoji-prefixed task comments and references to combining a “first snippet” and “second snippet.”

Forescout assessed the operator likely used a large language model (LLM) to stitch pieces of code into a single landing page with operating-system detection, Telegram-based reporting and animation logic, lowering the cost of producing fresh variants.

The TDS itself appears to be a larger, shared platform. A search for pages matching its gate-page fingerprint returned 2658 URLs, many appearing benign to automated scanners while quietly routing real users onward.

Because not all carried the SeasonalInvite fingerprint, Forescout suggested the system may serve several unrelated phishing operations at once. Microsoft separately documented overlapping infrastructure in March, when the same operation leaned on tax-themed lures.

Forescout urged organizations to keep an approved inventory of RMM tools and alert on any others, harden email filtering against seasonal themes and train staff that a genuine eCard should never require installing remote support software or approving an elevation prompt.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleCloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories
Team-CWD
  • Website

Related Posts

News

Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

July 15, 2026
News

Eleven Vulnerable UEFI Shims Enable Secure Boot Bypass

July 15, 2026
News

AI Attacks Move in Minutes. Join This Webinar on Building a Defense That Keeps Up

July 15, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Is Poshmark safe? How to buy and sell without getting scammed

February 19, 2026

A stealthy RAT burrowing deep into Android devices

May 26, 2026

Why that next data breach alert could be a trap

April 18, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.