September 15, 2025
A sophisticated phishing operation in which attackers deploy remote monitoring and management (RMM) tools—ITarian (formerly Comodo), PDQ Connect, SimpleHelp, and Atera—to gain persistent remote access to compromised systems.
By disguising malicious installers as legitimate browser updates, meeting or party invitations, and government forms, adversaries exploit users’ trust in commonly used IT administration software.
Security researchers at Red Canary Intelligence and Zscaler threat hunters have uncovered RMM-based phishing by first establishing a strict allowlist of sanctioned remote administration tools and baseline behaviors for each.
Attackers have centered this campaign around four distinct social engineering lures. The fake browser update ploy redirects users from sports or medical-care themed websites to an overlay prompting a “Chrome update.”
Beneath the full-screen iframe lies injected JavaScript that fingerprint browsers, harvest geolocation data via language settings, and funnel interaction logs to command-and-control (C2) domains such as panelswp[.]com and dragonshop[.]cloud.
Once victims click the update button, they instead download the ITarian MSI installer signed by Comodo, which launches a malicious DicomPortable.exe and sideloads rogue Qt5Core.dll or sciter32.dll libraries to install HijackLoader or DeerStealer infostealer.
Meeting invitations mimic Microsoft Teams or Zoom updates to drop PDQ Connect or Atera installers. Those payloads masquerade as legitimate meeting software with filenames like MicrosoftTeams.msi.
Attackers exploit Cloudflare R2 object storage—using URLs in the form pub-<32-character>.r2.dev—to host Atera installers, a classic living-off-trusted-services tactic.
Upon execution, the AteraAgent process registers a fake IntegratorLogin parameter with adversary-controlled email accounts, exposing unauthorized tenants to remote commands.
Party e-invite lures distribute MSI files labeled “Party Card Viewer” or “E-Invite,” deploying PDQ Connect or Atera via phishing emails.
SimpleHelp emerges through an einvite.exe payload from go-envitelabel[.]com and promptly installs ConnectWise’s ScreenConnect signed with a revoked certificate.
Government-form-themed pages impersonating IRS W-9s or Social Security statements deliver PDQ Connect or SimpleHelp installers, some of which chain to additional RMM tools through secondary executables.
Phishing domains include onlinebazar[.]us and statementsonlineviewer[.]com, often hosting fake IRS dashboards.
