CyberheistNews Vol 16 #04 The Skeleton Key: How Attackers Weaponize Trusted RMM Tools for Backdoor Access

The Skeleton Key: How Attackers Weaponize Trusted RMM Tools for Backdoor Access

KnowBe4 Threat Labs recently examined a sophisticated dual-vector campaign that demonstrates the real-world exploitation chain following credential compromise.

This is not a traditional virus attack. Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust. By stealing a "skeleton key" to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor.

Phishing Attack Summary

• Vector and Type: Email Phishing / Dual-vector attack that moves from credential harvesting to full system takeover
• Techniques: brand impersonation, credential harvesting, RMM deployment
• Bypassed SEG detection: Yes
• Targets: Organizations globally

The Two-Wave Attack Strategy
This campaign operates in two distinct waves: first by harvesting credentials through fake invitation notifications, then weaponizing those credentials to deploy legitimate RMM software that establishes persistent backdoor access to victim systems.

Wave 1: Credential Harvesting
The attack begins with a phishing email disguised as a Greenvelope invitation. Because Greenvelope is a legitimate service used for corporate events and weddings, the "Social Engineering Indicators" are subtle. Victims who click the invitation are directed to a highly convincing spoofed login page designed to capture their credentials.

Wave 2: RMM Deployment
For the attacker, a valid password is not the end goal—it is the delivery mechanism. Once credentials are secured, the threat actors generate legitimate RMM access tokens. These tokens are then deployed in follow-on attacks through a file called "GreenVelopeCard[.]exe" to establish persistent remote access to victim systems.

[CONTINUED] Blog post with links and extensive screenshots:
https://blog.knowbe4.com/the-skeleton-key-how-attackers-weaponize-trusted-rmm-tools-for-backdoor-access

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4's leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4's HRM+ platform:

• NEW! Deepfake Training Content - Generate hyperrealistic deepfakes of your own executives to prepare users to spot AI-driven manipulation and deepfakes
• SmartRisk Agent™ - Generate actionable data and metrics to help you lower your organization's human risk score
• Template Generator Agent - Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent - Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent - Reinforce your security program and organizational policies

See how these powerful AI-driven features work together to dramatically reduce your organization's risk while saving your team valuable time.

Date/Time: Wednesday, February 4 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN

New Phishing Campaign Spreads Via LinkedIn Comments

A widespread phishing campaign is targeting LinkedIn users by posting comments on users' posts, BleepingComputer reports.

Threat actors are using bots to post the comments, which impersonate LinkedIn itself and inform the user that their account has been restricted due to policy violations. The comments contain links to supposedly allow the user to appeal the restriction.

"These posts falsely claim that the user has 'engaged in activities that are not in compliance' with the platform and that their account has been 'temporarily restricted' until they visit the specified link in the comment," BleepingComputer says.

"The fabricated reply bearing the LinkedIn logo…appears fairly convincing depending on how viewers are interacting with the comments area and on what device."

These links lead to convincingly spoofed LinkedIn login portals designed to steal users' Google, Microsoft or Apple credentials. Some of the attacks are particularly difficult to spot because they use LinkedIn's official URL shortener, which replaces the suspicious-looking phishing link with a short "lnkd.in" URL.

A LinkedIn spokesperson told BleepingComputer that the company is working to take action against this campaign, adding, "It's important to note that LinkedIn does not and will not communicate policy violations to our members through public comments, and we encourage our members to make a report if they encounter this suspicious behavior. This way we can review and take the appropriate action."

BleepingComputer notes, "Users should remain vigilant and avoid interacting with comments, replies or private messages that appear to impersonate LinkedIn and urge recipients to click external links."

Warn your users. Blog post with links:
https://blog.knowbe4.com/new-phishing-campaign-spreads-via-linkedin-comments

Critical Capabilities When Evaluating Integrated Cloud Email Security

Email is still the #1 way cybercriminals get into your organization. Every day, your users face threats like credential phishing, business email compromise (BEC), ransomware and accidental data loss — all aimed directly at their inboxes. And if you're relying on traditional, gateway-based email security to stop these threats, you're leaving your organization insecure.

Modern attacks have evolved. Your defenses need to evolve, too.

This whitepaper, Critical Capabilities When Evaluating Integrated Cloud Email Security, is a must-read for IT and Security Operations (SecOps) teams looking to close email security gaps in Microsoft 365, Google Workspace and other cloud-first environments.

What's Inside:

• Core Threat Protection Capabilities: Look beyond the basics. Get clarity on how to stop advanced threats that slip through traditional defenses — including AI-driven phishing attacks, payload-less BEC and targeted malware.
• Outbound Security and Data Loss Prevention: It's not just about what gets in. Learn how to prevent sensitive data from leaking out, whether through misdirected emails, insider mistakes or malicious exfiltration attempts.
• Visibility, Management and Reporting: Security without visibility is just guesswork. Find out why detailed logging, user behavior insights and centralized reporting are non-negotiable for today's SecOps teams.
• Cloud-Native Architecture and Integrations: Legacy bolt-ons slow you down. Discover why a true cloud-native platform — one that integrates seamlessly with your existing stack — is critical for performance, scale and ease of use.

Download Now:
https://info.knowbe4.com/critical-capabilities-when-evaluating-integrated-cloud-email-security-chn

Report: Scammers Stole $17 Billion Worth of Crypto Last Year

Scammers stole an estimated $17 billion worth of cryptocurrency in 2025, according to a new report from Chainalysis. Notably, the report found that AI-assisted scams stole 4.5 times more money than scams that didn't leverage AI.

"Our analysis reveals that, on average, scams with on-chain links to AI vendors extract $3.2 million per operation compared to $719,000 for those without an on-chain link — 4.5 times more revenue per scam," the researchers write.

"These AI-related operations also demonstrate significantly greater time-weighed efficiency....These metrics suggest both higher operational efficiency and potentially broader victim reach.

"The increased transaction volume indicates that AI is enabling scammers to reach and manage more victims simultaneously, a trend consistent with the industrialization of fraud we've been tracking. In contrast, the increased scam volume suggests that AI is likewise making scams more persuasive."

These scams are also driven by sophisticated phishing kits that allow unskilled threat actors to launch industrial-scale fraud operations.

"Many of these campaigns have a social media angle, given that such platforms provide access to millions of users, and are thus prime targets for sending automated messages," the report says.

"In such cases, scammers may buy bulk social media profiles and use SMS and phishing kits to communicate. The material impact of this large-scale industrialization cannot be understated. Scams leveraging these phishing kits are 688 times more effective in dollar terms and four times more effective in average transaction size than regular scams.

"Scams that buy bulk social media accounts are likewise 238 times more effective in dollar terms and two times more effective in average transaction value compared to regular scams."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/report-scammers-stole-17-billion-worth-of-crypto-last-year

Phishing Security Test: Free Anti-Phishing Tool

Did you know that 91% of successful data breaches started with a spear phishing attack? Find out what percentage of your employees are Phish-prone™ with your free Phishing Security Test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks!

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having an antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS.

Why? If you don't do it yourself, the bad actors will.

Here's how it works:

• Immediately start your test for up to 100 users (no need to talk to anyone)
• Select from 20+ languages and customize the phishing test template based on your environment
• Choose the landing page your users see after they click
• Show users which red flags they missed, or a 404 page
• Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
• See how your organization compares to others in your industry

The Phish-prone Percentage is usually higher than you expect and is great ammo to get budget. Start phishing your users now. Fill out the form, and get started immediately!

Sign Up:
https://info.knowbe4.com/phishing-security-test-em-chn

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: [See It here First] NEW Infographic: Humans + AI: Better Than Your SEG:
https://www.knowbe4.com/hubfs/Humans-Plus-AI-Better-Than-SEG-Infographic_en-US.pdf

PPS: My new book Agent-Powered Growth is a National Bestseller! You want to get your own copy and tell your marketing team to get theirs:
https://stu-sjouwerman.multiscreensite.com/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-04-the-skeleton-key-how-attackers-weaponize-trusted-rmm-tools-for-backdoor-access

Weaponized AI Tools Are Leading to Industrial-Scale Cybercrime

Weaponized AI tools have helped industrialize cybercrime, giving unskilled threat actors access to platforms that can launch sophisticated attacks, according to a new report from Group-IB.

"Unlike earlier waves of cybercrime, AI adoption by threat actors has been strikingly fast," the researchers write. "AI is now firmly embedded as core infrastructure throughout the criminal ecosystem rather than an occasional exploit.

"AI crimeware typically falls into three main categories: LLM exploitation, phishing and social engineering automation, and malware and tooling. These dark web offerings are affordable and often bundled together to make them more attractive to potential buyers."

AI tools can help threat actors at every stage of an attack, leading to faster and more advanced intrusions.

"While phishing kits made fraud more accessible and scalable by lowering the technical threshold, weaponized AI goes further," Group-IB says. "It compresses the entire attack lifecycle — from initial reconnaissance and weaponization to maintaining persistence within compromised systems.

"What's more, it scales effortlessly and tailors attacks with precision, making it possible for even inexperienced threat actors — with limited technical and financial resources — to launch sophisticated, high-impact campaigns against even the largest organizations.

"Adoption of GenAI is equally beneficial for more sophisticated and advanced actors, providing opportunities for faster, more scalable and evasive operations." Notably, these criminal platforms are professionally made and only cost about $30 per month. "Novices now have easy, affordable, subscription-based access to Deepfake-as-a-Service, automated phishing kit generators and DarkLLMs fine-tuned on malicious datasets," the researchers write.

"Vendors often mimic aspects of legitimate SaaS businesses—from pricing tiers to regular updates and customer support—and bundle products and services to augment their capabilities and make them more attractive to potential buyers. These dark web offerings are affordable, flexible and tailored to different use cases and campaign requirements."

KnowBe4 empowers your workforce to make smarter security decisions every day.

Group-IB has the story:
https://www.group-ib.com/media-center/press-releases/weaponised-ai-cybercrime/

[OUCH] Report: 4 in 10 Employees Have Never Received Cybersecurity Training

Forty percent of employees have never received cybersecurity training, according to a new report from Yubico. That number rises to nearly 60% for employees working for small businesses. The report surveyed 18,000 employed adults from the U.S., the UK, Australia, India, Japan, France, Germany, Singapore and Sweden.

"Our research finds that four in 10 (40%) employees have never received training on cybersecurity in any form," Yubico says. "Furthermore, 44% of companies wait longer than three-five months to update their cybersecurity policies. These two statistics suggest that close to half of employees were never introduced to their company's security guidelines in the first place, and roughly half of those that were given cybersecurity training are operating on outdated data.

"With new attack techniques emerging on a near-constant basis and the rise of AI-based threats, inconsistent cybersecurity training habits leave many organizations and their workforce in a constant state of vulnerability."

Additionally, Yubico warns that AI tools are making phishing attacks more convincing, and 70% of respondents couldn't tell the difference between an AI-generated phishing message and a human-written one.

"We found that of those who have been tricked by phishing messages, 34% of respondents said the reason they fell for the ruse was that it appeared to come from a trusted source," the report says. "With AI's ability to cater to specific individuals and draw from vast amounts of data, this finding shows how AI is allowing these types of threats to grow and become more successful."

Yubico concludes that employees need to be made aware of evolving cybersecurity threats in order to thwart these attacks.

"Educational programs must emphasize the importance of both professional and personal cybersecurity, giving employees a deep understanding of how personal habits can impact workplace security," the report says. "Regular training sessions are essential in today's rapidly changing threat landscape, and organizations should provide a steady stream of education on emerging risks, including assessments to ensure knowledge retention."

Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Cybersecurity Intelligence has the story:
https://www.cybersecurityintelligence.com/blog/executive-cyber-vulnerability-is-a-growing-risk-9028.html

What KnowBe4 Customers Say

"Bryan, a Happy New Year to you and the staff. We are very happy with both the KnowBe4 platform and the localized Japan support provided. The system has the features and functionality we need to enhance our IS/Privacy culture, an ongoing organizational goal of the Executive Director.

"I wanted to share with you my appreciation for two KnowBe4 Staff members who were instrumental in our successful implementation: Rika O. assisted with the subscription selection, quotation and payment processing making these necessary steps go smoothly and efficiently.

"Marie I., our Customer Success Manager, was extremely helpful in our initial setup & configuration of the platform. We were able to launch a Phishing Simulation as well as an organizational-wide training course within weeks of us inking the deal.

"We certainly are Happy Campers and look forward to our usage of KnowBe4 in 2026 & beyond."

- T.G., Senior Operational & Tech Advisor Japan

"Thanks, so far so good. Pretty good training sessions with one of your intro trainers, Monserrat!"

- Z.R., Chief Technology Officer

1. Spoofed phishing sites will likely target the 2026 Winter Olympics:
   https://www.infosecurity-magazine.com/news/phishing-spoofed-sites-olympic/
   
   
2. Jordanian pleads guilty to selling access to 50 corporate networks:
   https://www.bleepingcomputer.com/news/security/jordanian-pleads-guilty-to-selling-access-to-50-corporate-networks/
   
   
3. Hacker admits to leaking stolen Supreme Court data on Instagram:
   https://www.bleepingcomputer.com/news/security/hacker-admits-to-leaking-stolen-supreme-court-data-on-instagram/
   
   
4. [FUN] [KINDA] Greek police arrest scammers using fake cell tower hidden in car trunk:
   https://therecord.media/greek-police-arrest-scammers-using-hidden-cell-towers
   
   
5. Over 160,000 Companies Notify Regulators of GDPR Breaches:
   https://www.infosecurity-magazine.com/news/160000-companies-regulator-gdpr/
   
   
6. Phishing campaign targets LastPass users:
   https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers
   
   
7. AI tools struggle to detect AI-generated videos:
   https://www.newsguardrealitycheck.com/p/ai-fools-itself-top-chatbots-dont
   
   
8. Android malware uses AI to conduct click fraud:
   https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ai-to-click-on-hidden-browser-ads/
   
   
9. Google's Gemini can be tricked by malicious calendar invites:
   https://www.miggo.io/post/weaponizing-calendar-invites-a-semantic-attack-on-google-gemini
   
   
10. Major spam campaign exploits unsecured Zendesk instances:
    https://www.bleepingcomputer.com/news/security/zendesk-ticket-systems-hijacked-in-massive-global-spam-wave/
    
    

• Virtual Vaca #1 - Exploring Tunisia's Old Medinas [Amazing Places 4K]:
  https://youtu.be/4szIkPQh9GA
  
  
• Virtual Vaca #2 - Central and Eastern Spain 4K:
  https://youtu.be/VZUxhsEijIc
  
  
• Virtual Vaca #3 - I walked along the Wall in Game of Thrones - Solo Backpacking Hadrian's Wall:
  https://youtu.be/R8HdbY55B2w
  
  
• A breathtaking 3D journey scales a modern processor to city size, revealing the hidden architecture that powers everything we do in a stunning 3D visualization:
  https://www.flixxy.com/inside-a-smartphone-chip-the-size-of-manhattan.htm?utm_source=chn&utm_medium=email
  
  
• NO FALL ZONE This ski line leaves no room for error (110 m drop):
  https://youtu.be/Qjtb2vu8O18
  
  
• Deathstar, Sassongher Wingsuit BASE Jump in Italy 2025:
  https://youtu.be/vlVUCGdAt_o
  
  
• Amazing Robot Ping-pong ball balancing, done right.:
  https://www.instagram.com/reel/DS84q50DC5U/?igsh=dXJjb2JwazNiNnp2
  
  
• How big those stars --really-- are. Ours is just tiny little twinkle:
  https://www.instagram.com/reel/DSzIgWck9EV/?igsh=MThxZHg0b2l5OHlzeA==
  
  
• The man is using a motion capture suit mapped onto the Unitree G1. Every move from the human transfers straight to the robot in real time, even the bad ideas:
  https://www.instagram.com/reel/DSzozmOk3yY/?igsh=MTE1emF0cDVvYzF4bw%3D%3D
  
  
• This MobED mobility robot platform robot platform has "eccentric wheels":
  https://youtube.com/shorts/10wIYbIhDvg
  
  
• [From The Archives] Boarding planes could have been very different:
  https://youtu.be/j3OqAN4ISOw
  
  
• For Da Kids #1 - Dad Uses Tostitos To Get His Sheep Moving Again:
  https://youtu.be/IMGWNuB2m80
  
  
• For Da Kids #2 - Beaver Fells Tree in Just a Few Hours | BBC Earth:
  https://youtu.be/LtARQMyNDeA
  
  
• For Da Kids #3 - Red Pandas Have a Secret Superpower!:
  https://youtube.com/shorts/oXAKGCi3_pQ
  
  
• For Da Kids #4 - Tiger Rescued From A Zoo Now Clings To His Favorite Giant Red Ball:
  https://youtu.be/BoBN6gq3rOg
  
  
• For Da Kids #5 - Wild Groundhog Wants Human Mom's Attention At All Times:
  https://youtu.be/EOs4nUZ9eHc