{"id":1233,"date":"2026-01-23T15:37:28","date_gmt":"2026-01-23T21:37:28","guid":{"rendered":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/?p=1233"},"modified":"2026-01-23T15:37:28","modified_gmt":"2026-01-23T21:37:28","slug":"greenvelope-logmein-rmm-phishing-attack-las-vegas","status":"publish","type":"post","link":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/blog\/greenvelope-logmein-rmm-phishing-attack-las-vegas\/","title":{"rendered":"Urgent Alert: New “Greenvelope” Phishing Attack Installs Backdoor via LogMeIn"},"content":{"rendered":"

 <\/p>\n

<\/p>\n\n\n\n
\n

\ud83d\udea8 URGENT SECURITY ALERT: Greenvelope Phishing Attack Installs LogMeIn Backdoor<\/h1>\n

Sophisticated “Living off the Land” attack bypasses traditional antivirus – Las Vegas hospitality sector at high risk<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

<\/p>\n\n\n\n
\n

By Adam Lopez, CMIT Solutions of Las Vegas<\/p>\n

Published: January 2026 | Threat Level: CRITICAL<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\n

<\/p>\n\n\n\n
\n

Executive Summary: The “Trusted Tool” Trap<\/h2>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n\n\n\n
\n

\u26a0\ufe0f URGENT SECURITY WARNING<\/h3>\n

A sophisticated new cyber campaign has been identified by threat researchers at KnowBe4. This is not a standard virus; it is a “Living off the Land” (LotL)<\/strong> attack that weaponizes legitimate IT software to bypass traditional antivirus defenses.<\/p>\n\n\n\n\n\n
The Threat:<\/td>\nAttackers are sending phishing emails disguised as invitations from the digital platform Greenvelope<\/strong>. If an employee clicks and enters credentials, the attackers do not just steal the password\u2014they use it to deploy a legitimate instance of LogMeIn Resolve (formerly GoTo Resolve)<\/strong>, granting them persistent, invisible remote control over your network.<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
Who is Affected:<\/td>\nAny organization using Microsoft Outlook, Yahoo, or AOL for email is a target. In Las Vegas<\/strong>, where hospitality, entertainment, and legal industries rely heavily on digital event invitations (galas, conventions, corporate mixers), the “click rate” risk for this specific lure is dangerously high.<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

<\/p>\n\n\n\n
\n

Technical Breakdown: Anatomy of the Attack<\/h2>\n

Unlike attacks that exploit a software bug (CVE), this campaign abuses logic<\/em> and trust<\/em>. Here are the specific Indicators of Compromise (IoCs)<\/strong> identifying this threat:<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n\n\n\n
\n

Attack Chain Breakdown:<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n
\ud83d\udce7 Attack Vector<\/strong><\/p>\n

Phishing email mimicking a “Greenvelope” event invitation (digital greeting card platform)<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n<\/tr>\n
\ud83d\udd11 Credential Theft<\/strong><\/p>\n

Landing page harvests Outlook\/Yahoo\/AOL credentials through fake login form<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n<\/tr>\n
\ud83d\udcbe Payload Dropper<\/strong><\/p>\n

A binary executable named GreenVelopeCard.exe<\/code> is downloaded<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n<\/tr>\n
\u2713 Digital Signature<\/strong><\/p>\n

The binary is digitally signed<\/strong> with a valid certificate, tricking Windows into trusting it<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n<\/tr>\n
\ud83d\udd12 Persistence Mechanism<\/strong><\/p>\n

The malware silently installs LogMeIn Resolve<\/strong> using a JSON configuration file<\/p>\n

It establishes Hidden Scheduled Tasks<\/strong> to relaunch the RMM tool automatically if terminated<\/p>\n

Service settings are altered to run with Unrestricted Access (System Level)<\/strong><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\n

<\/p>\n\n\n\n
\n

Why This Matters to Las Vegas CEOs<\/h2>\n

This attack represents a shift in tradecraft. By using legitimate RMM (Remote Monitoring and Management) software, hackers are hiding in plain sight.<\/strong><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n\n\n\n
\n

1. The “Shadow IT” Nightmare<\/h3>\n

Your antivirus likely won’t block LogMeIn because it is a legitimate tool<\/strong> used by millions of IT professionals. To a basic firewall, this traffic looks like normal business operations.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
\n

2. The “Event Capital” Vulnerability<\/h3>\n

Las Vegas is the convention capital of the world.<\/strong> Your staff likely receives dozens of legitimate digital invites weekly. Attackers know this. They are betting that your sales director or front-desk manager will click a “Greenvelope” link out of habit.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
\n

3. Total Network Compromise<\/h3>\n

Once the RMM is installed, attackers have “hands-on-keyboard” access<\/strong>. They can exfiltrate sensitive client data (gaming compliance data, legal files, guest lists) or deploy ransomware manually at a time of their choosing\u2014often 2 AM on a holiday weekend.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

<\/p>\n\n\n\n
\n

Your 3-Step Defense-in-Depth Strategy<\/h2>\n

Since this attack uses valid credentials and valid software, standard “set it and forget it” security is insufficient. We recommend the following immediate actions based on the NIST Cybersecurity Framework<\/strong>:<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n\n\n\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n

Application Ring-Fencing (Zero Trust)<\/h3>\n

You must control what software is allowed to run. Implement Application Whitelisting<\/strong> (via ThreatLocker or similar tools) that blocks any<\/em> RMM tool not explicitly approved by your IT department. Even if GreenVelopeCard.exe<\/code> runs, it should be blocked from installing LogMeIn if that specific publisher isn’t on your allow-list.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n\n\n\n
\n\n\n\n
\n
2<\/div>\n<\/td>\n
\n

Phishing-Resistant MFA<\/h3>\n

The attack starts with credential theft. Move beyond SMS-based 2-Factor Authentication. Implement FIDO2 Hardware Keys (YubiKeys)<\/strong> or certificate-based authentication. Even if an employee is tricked by the fake login page, they cannot give away the physical token required to log in.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n\n\n\n
\n\n\n\n
\n
3<\/div>\n<\/td>\n
\n

Behavioral Monitoring (EDR\/MDR)<\/h3>\n

Deploy Endpoint Detection and Response (EDR) agents that look for behavior<\/em>, not just file signatures. A proper SOC (Security Operations Center) should trigger an immediate alarm if a scheduled task is created to launch a remote access tool, or if a non-admin user attempts to install system-level services.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\n

<\/p>\n\n\n\n
\n

How CMIT Solutions of Las Vegas Protects You<\/h2>\n

At CMIT Solutions, we specialize in distinguishing between “friend” and “foe”<\/strong> on your network.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n\n\n\n
\n

\ud83d\udd0d RMM Audits<\/h4>\n

We scan your network to identify all<\/em> remote access tools. If we didn’t install it, we remove it. No exceptions.<\/p>\n<\/td>\n

\n

\ud83c\udf93 Security Training<\/h4>\n

We can simulate this exact “Greenvelope” attack to test your employees and educate them before<\/em> the real hackers strike.<\/p>\n<\/td>\n

\n

\ud83d\udee1\ufe0f 24\/7 SOC Monitoring<\/h4>\n

Our team watches your endpoints around the clock. If a GreenVelopeCard.exe<\/code> process starts, we kill it instantly.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

<\/p>\n\n\n\n
\n

Additional Las Vegas Cybersecurity Services:<\/h3>\n\n\n\n\n\n\n\n
\u2713<\/strong><\/td>\nApplication Whitelisting (ThreatLocker)<\/strong> – Zero Trust security for Las Vegas gaming and hospitality<\/td>\n<\/tr>\n
\u2713<\/strong><\/td>\nFIDO2 Hardware Key Deployment<\/strong> – Phishing-resistant MFA for executive teams<\/td>\n<\/tr>\n
\u2713<\/strong><\/td>\nEDR\/MDR Solutions<\/strong> – Behavioral monitoring and threat hunting<\/td>\n<\/tr>\n
\u2713<\/strong><\/td>\nSimulated Phishing Campaigns<\/strong> – Test and train your staff with real-world scenarios<\/td>\n<\/tr>\n
\u2713<\/strong><\/td>\nCompliance Support<\/strong> – PCI-DSS, HIPAA, Gaming Control Board requirements<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n

<\/p>\n\n\n\n
\n

“The Greenvelope attack is particularly dangerous for Las Vegas businesses because it exploits our culture. We’re an event-driven city\u2014conferences, trade shows, galas happen daily. Employees are conditioned to click invitation links. That’s exactly what attackers are counting on. The only defense is layered security: technical controls, employee training, and 24\/7 monitoring.”<\/p>\n

\u2014 Adam Lopez, CMIT Solutions of Las Vegas<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

<\/p>\n\n\n\n
\n

Don’t Let a Fake Party Invite Crash Your Business<\/h2>\n

Get a comprehensive vulnerability assessment and phishing simulation from Las Vegas’s cybersecurity specialists.<\/p>\n

Contact Adam Lopez and the CMIT Las Vegas team today.<\/p>\n\n\n\n
\n

\ud83d\udcde 702-725-2877<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Request Emergency Security Assessment<\/a><\/p>\n

cmitsolutions.com\/lasvegas-nv-1206<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

<\/p>\n\n\n\n
\n

Key Takeaways:<\/h3>\n\n\n\n\n\n\n\n
\u26a0<\/strong><\/td>\nGreenvelope phishing campaign<\/strong> weaponizes LogMeIn Resolve to bypass traditional antivirus<\/td>\n<\/tr>\n
\u26a0<\/strong><\/td>\nLas Vegas at high risk<\/strong> – Convention capital culture makes employees prone to clicking invitation links<\/td>\n<\/tr>\n
\u2713<\/strong><\/td>\nDeploy Application Whitelisting<\/strong> to block unauthorized RMM tools like LogMeIn<\/td>\n<\/tr>\n
\u2713<\/strong><\/td>\nImplement FIDO2 hardware keys<\/strong> – Phishing-resistant MFA stops credential theft attacks<\/td>\n<\/tr>\n
\u2713<\/strong><\/td>\nCMIT Solutions provides 24\/7 SOC monitoring<\/strong> and simulated phishing training for Las Vegas businesses<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

<\/p>\n\n\n\n
\n

Original threat research source: The Hacker News – KnowBe4 Report<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/article>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

This isn’t just a virus; it’s a ‘Living off the Land’ attack where hackers use your own trusted tools against you. A new campaign disguised as Greenvelope invitations is installing silent backdoors on corporate networks.<\/p>\n","protected":false},"author":1008,"featured_media":1232,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1233","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-local-it"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/posts\/1233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/users\/1008"}],"replies":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/comments?post=1233"}],"version-history":[{"count":0,"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/posts\/1233\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/media\/1232"}],"wp:attachment":[{"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/media?parent=1233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/categories?post=1233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cmitsolutions.com\/lasvegas-nv-1206\/wp-json\/wp\/v2\/tags?post=1233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}