Attackers are increasingly bypassing traditional malware defenses by exploiting legitimate remote monitoring and management tools for backdoor access. KnowBe4 Threat Labs warns of the Skeleton Key campaign, in which threat actors hijack trusted IT software rather than deploy custom malware.
The campaign reflects a growing trend in which attackers no longer develop malware but reuse existing enterprise software. Instead of breaking in through the front door, they steal the master key by compromising user data and transforming remote access tools into hidden persistence mechanisms.
The attack unfolds in two phases: first, credential collection, then system compromise. Victims receive phishing emails posing as Greenvelope i…
Attackers are increasingly bypassing traditional malware defenses by exploiting legitimate remote monitoring and management tools for backdoor access. KnowBe4 Threat Labs warns of the Skeleton Key campaign, in which threat actors hijack trusted IT software rather than deploy custom malware.
The campaign reflects a growing trend in which attackers no longer develop malware but reuse existing enterprise software. Instead of breaking in through the front door, they steal the master key by compromising user data and transforming remote access tools into hidden persistence mechanisms.
The attack unfolds in two phases: first, credential collection, then system compromise. Victims receive phishing emails posing as Greenvelope invitations, a service for business events and formal communications. Those who click are directed to a fake login page that steals credentials while mimicking the real service.
RMM tools as weapons of attack
With stolen credentials, attackers generate legitimate access tokens for remote monitoring and management platforms. A file called “GreenVelopeCard.exe” installs tools such as GoTo Resolve and LogMeIn, allowing malicious activity to blend in with normal enterprise traffic and evade signature-based detection.
KnowBe4 discovered that the dropper contains a configuration file that instructs RMM software to install silently, connect to attacker-controlled accounts, and operate with full remote control capabilities. By using officially signed software and production infrastructure, attackers hide in plain sight and make their activity virtually indistinguishable from legitimate IT operations.
Persistence and command-and-control
For persistence, attackers manipulate the registry, abuse Windows services, and deploy hidden scheduled tasks. Even when administrators detect the activity and attempt to shut it down, remote access remains intact.
The command-and-control strategy routes malicious traffic through GoTo’s official infrastructure using encrypted HTTPS. This allows communications to blend in with normal enterprise network traffic and remain undetected by many existing tools.
KnowBe4 states that these attacks are forcing organizations to rethink their defense strategy against modern threats. Security teams must monitor for abnormal use of legitimate tools, unauthorized RMM deployments, and suspicious identity activity. Focusing solely on malware detection is no longer enough.