Incident responders, s'il vous plait: Invites lead to odd malware events

Sophos MDR observed a phishing campaign (tracked as STAC6405) that tricks recipients into installing legitimate RMM tools (LogMeIn Resolve / ScreenConnect) preconfigured to give attackers unattended access; in a subset of cases the actors subsequently delivered and executed additional malicious payloads (an infostealer packed with HeartCrypt and a Java-based RAT/remote access payload). The campaign affected over 80 organizations (mostly US), used multiple attacker-controlled domains and at least one C2 IP (45.56.162.138), leveraged living-off-the-land techniques and delayed-execution/LOLBIN injection to evade detection, and shows indicators of ongoing activity.