{"id":4114,"date":"2026-01-15T02:14:44","date_gmt":"2026-01-15T02:14:44","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/01\/15\/hackers-use-fake-paypal-notices-to-steal-credentials-deploy-rmms\/"},"modified":"2026-01-15T02:14:44","modified_gmt":"2026-01-15T02:14:44","slug":"hackers-use-fake-paypal-notices-to-steal-credentials-deploy-rmms","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/01\/15\/hackers-use-fake-paypal-notices-to-steal-credentials-deploy-rmms\/","title":{"rendered":"Hackers Use Fake PayPal Notices to Steal Credentials, Deploy RMMs"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-115f98c5-e71e-4ef9-950c-880de57e0386\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new wave of phishing-led intrusions abusing legitimate remote monitoring and management (RMM) tools has been documented, with attackers using fake PayPal alerts to gain both personal and corporate access.<\/p>\n<p>The activity, documented in an advisory published by Cyberproof on Tuesday, marks a shift away from seasonal lures toward high-urgency financial themes, while highlighting how trusted remote access software continues to be weaponized to evade detection.<\/p>\n<p>Earlier waves relied on decoy messages such as holiday party invitations, tax notices or document signing requests. The latest incidents instead exploit fake PayPal warnings designed to provoke immediate action.<\/p>\n<h2>From Personal Accounts to Corporate Footholds<\/h2>\n<p>CyberProof researchers examined six incidents across customer environments, including one case in which an employee\u2019s personal PayPal account served as the initial entry point.<\/p>\n<p>On January 5\u00a02026, the company\u2019s Managed Detection and Response (MDR) team identified suspicious activity that later escalated into corporate access.<\/p>\n<p>The attack began with a fraudulent PayPal email, followed by phone-based social engineering. Posing as support staff, the attacker convinced the victim to install legitimate remote access software.<\/p>\n<p>LogMeIn Rescue was deployed first, before the threat actor pivoted to AnyDesk to maintain access. No endpoint detection and response (EDR) alerts were triggered during the intrusion.<\/p>\n<p><em>Read more on RMM tool abuse and defense: Remote Control Cybercrime: An RMM Protection Guide for MSPs<\/em><\/p>\n<h2>RMM Redundancy and Security Recommendations<\/h2>\n<p>For context, attackers using one RMM tool to install another is a pattern also noted\u00a0recently\u00a0in research from Broadcom.<\/p>\n<p>This approach appears intended to reduce the likelihood of detection and possibly to cycle through trial licences to avoid expiration.<\/p>\n<p>Artifacts from these attacks included multiple LogMeIn Rescue binaries and confirmation of an active remote session.<\/p>\n<p>Persistence was achieved through a scheduled task and a startup shortcut disguised with a Gmail-style name. The tactic was designed to blend into regular system activity and avoid raising suspicion during routine checks.<\/p>\n<p>\u201cWhile the immediate motivation behind this campaign appears financial, the long-term risk is significant,\u201d\u00a0Cyberproof warned.<\/p>\n<p>\u201cAccess gained through these RMM\u00a0\u2018backdoors\u2019\u00a0can be sold to Advanced Persistent Threat (APT) actors, leading to full corporate compromise or ransomware deployment.\u201d<\/p>\n<p>To tackle similar threats, the cybersecurity firm recommended tightening phishing controls, restricting network access to common RMM ports and avoiding the exposure of remote services such as RDP.<\/p>\n<p>It also urged organizations to maintain offline backups, assess the risks of third-party RMM tools, keep security software up to date and reinforce user training as part of a zero-trust security model.<\/p>\n<\/p><\/div>\n<p><em>Image credit:\u00a0Samuel Boivin \/ Shutterstock.com<\/em><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new wave of phishing-led intrusions abusing legitimate remote monitoring and management (RMM) tools has been documented, with attackers using fake PayPal alerts to gain both personal and corporate access. The activity, documented in an advisory published by Cyberproof on Tuesday, marks a shift away from seasonal lures toward high-urgency financial themes, while highlighting how<\/p>\n","protected":false},"author":2,"featured_media":4115,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4114","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4114-5d9c673a-0ce6-49e5-b26b-b4d3768b7174-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4114"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4114\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4115"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}