A threat actor has shifted tactics by installing multiple remote management and monitoring (RMM) tools — notably ScreenConnect, LogMeIn Resolve, and Naverisk — on compromised machines, often installing additional RMMs long after initial compromise to maintain persistence and harvest credentials. Phishing emails with lures like holiday invites and fake invoices deliver signed MSI/EXE installers that deploy RMMs and utility tools such as HideMouse and WebBrowserPassView. #ScreenConnect #LogMeInResolve #Naverisk