GoToResolve: The Legitimately Signed Backdoor Your EDR Will Never Flag
TL;DR: An active campaign is weaponizing GoToResolve -- a legitimate, DigiCert-signed remote monitoring and management tool -- as a persistent backdoor delivered through VBScript droppers and silent MSI installation. We identified 18 unique samples across six social engineering themes (SSA/Social Security fraud, Zoom impersonation, Adobe Reader, party invitations, Portuguese budget documents), distributed via Dropbox and catbox.moe, and controlled through two GoTo accounts created months apart. The relay infrastructure sits on Cloudzy/FranTech bulletproof hosting -- the same provider documented by Halcyon Research in 2023 as servicing Iranian state-sponsored APTs and Lazarus Group. Because the installed binary is a real GoToResolve agent signed by GoTo Technologies USA, LLC with a valid certificate chain, most endpoint protection will wave it through without a second look. The threat actor's CompanyId, public key, and account creation timestamps were extracted directly from the MSI's digital signature padding area, turning GoTo's own infrastructure into an attribution surface.
Why This Matters More Than Another RMM Abuse Report
CISA warned about this in 2023. Advisory AA23-025A laid out the playbook: threat actors abuse legitimate remote access software to bypass security controls, because the software itself is not malicious. Three years later, the playbook has not changed -- but the execution has gotten sharper.
This campaign is not a threat actor installing GoToResolve after gaining initial access. This is GoToResolve as the initial access vector. The MSI installer is the payload. The social engineering gets the victim to run it. And once that signed binary registers itself as a Windows service and phones home to GoTo's legitimate AWS-hosted console infrastructure, the threat actor has persistent, authenticated remote access through a tool that your IT department might already have on its approved software list.
The reason we are writing about this -- and not just filing IOCs into a MISP instance -- is that this campaign reveals something about GoTo's architecture that defenders need to understand: the unattended MSI installer uses a certificate padding injection technique to embed account-specific configuration data (CompanyId, public keys, API endpoints) directly into the digital signature's padding area. This means every MSI sample carries a forensic fingerprint of the GoTo account that generated it. We extracted two distinct accounts, mapped their creation timestamps, and can now track this operator's infrastructure evolution from September 2025 through the present day.
The Attack Chain: From Phishing Lure to Persistent RMM Agent
The kill chain is deceptively simple, which is exactly what makes it effective.
[Social Engineering Email/Message]
|
v
[VBS Dropper] -- hosted on Dropbox or catbox.moe
| -- opens decoy PDF to maintain illusion
| -- UAC elevation via ShellExecute "runas"
v
[msiexec /i installer.msi /quiet /norestart]
|
v
[GoToResolve Unattended MSI]
| -- validly signed by GoTo Technologies USA, LLC
| -- CompanyId injected into certificate padding area
| -- single confirmation dialog (social engineering text)
v
[unattended-updater.exe -regsvc]
| -- installs as Windows service
| -- registers with devices-iot.console.gotoresolve.com
| -- persistent remote access via GoTo cloud relay
v
[Threat Actor's GoTo Console] -- full remote desktop, file transfer, CLI
| -- relayed through Cloudzy/FranTech bulletproof hosting
v
[Actions on Objectives] -- data theft, lateral movement, further payloads
Every component in this chain after the VBS dropper is legitimate software executing through legitimate channels. The MSI is signed. The binary is real GoToResolve. The console traffic goes to GoTo's actual AWS infrastructure. The only things that are "malicious" are the social engineering wrapper and the threat actor sitting at the other end of the GoTo console.
This is the fundamental problem with RMM abuse: there is no malware to detect, only misuse of a legitimate administrative tool.
What Was Found vs. What Was Known
Before this investigation, public reporting on this campaign was limited to a handful of MalwareBazaar submissions with relay IP tags. No one had mapped the full scope.
| Aspect | Prior Reporting | Our Findings |
|---|---|---|
| Samples | Single sample (JeroenGui submission, Belgium) | 18+ samples across 6 social engineering themes |
| GoTo Accounts | Unknown | 2 accounts with CompanyIds, public keys, and creation timestamps |
| Relay Infrastructure | 3 IPs tagged on MalwareBazaar | Full attribution to Cloudzy/FranTech BPH; OneDrive URL spoofing domain mapped |
| Droppers | Unknown | 2 VBS dropper variants -- catbox.moe and Dropbox delivery chains |
| Campaign Timeline | Single day (March 10) | Active since at least September 29, 2025 (first account creation) |
| Targeting | Belgium (origin of one submission) | US (SSA lures), Brazil (Portuguese filenames), Belgium, general corporate |
| MSI Internals | Not analyzed | Certificate padding injection mechanism fully documented; custom DLL exports mapped |
The jump from "one sample from Belgium" to "18 samples, two accounts, six themes, three relay IPs, two dropper variants, and five months of activity" is the difference between an indicator and an investigation.
Inside the MSI: Where GoTo's Architecture Becomes an Attribution Surface
The primary sample we analyzed is MeetingApp.msi, submitted to MalwareBazaar on March 10, 2026.
| Attribute | Value |
|---|---|
| SHA-256 | c1ee59108378686091c53a1259db7f467e3f3301b73f2f2523f70235ae11f68f |
| MD5 | cf63b84499450bb2ae2a4595b5cafce6 |
| File Type | MSI (Windows Installer) |
| Size | 24,530,944 bytes (~23.4 MB) |
| Author | LogMeIn, Inc. |
| Product | LogMeIn Resolve Unattended v1.31.1.908 |
| Compilation Date | 2026-01-30 07:35:10 UTC |
| Code Signing | GoTo Technologies USA, LLC (DigiCert, VALID through 2028) |
| Cert Serial | 0ead3a3ffa70c0a20ae2368189935153 |
| Built With | WiX (Windows Installer XML) |
At 23 megabytes, this is not a dropper -- it is a full, production-grade RMM agent installer. The MSI contains a single embedded file: unattended-updater.exe, a 24.5MB PE32 binary compiled from GoTo's own CI/CD pipeline (PDB path: C:\a\rescue-native-rescueassist\...\GoToResolveUnattendedUpdater.pdb). This is the real thing. GoTo built it.
The interesting part is not the binary itself but how the threat actor personalizes it.
The Certificate Padding Injection
GoTo's MSI distribution model uses a custom mechanism to bind installers to specific customer accounts. When a GoTo customer generates an unattended MSI from their console, the backend injects a JSON configuration blob into the padding area of the MSI's digital signature. This padding area exists within the Authenticode signature structure but is not covered by the signature's hash calculation -- meaning you can modify it without invalidating the signature.
The MSI includes a custom action DLL (installerCustomActions.dll, 845KB) with a very descriptive export name:
extractParamsFromMSICertsPaddedArea
This DLL reads the injected JSON at install time and sets MSI properties accordingly. The MSI's Property table has CompanyId set to the placeholder [GetsReplacedByBackend] -- literally a marker waiting for the injection.
Here is the configuration we extracted from the current campaign's MSI:
{
"publickey": "032ce4d95ef46a4f8da215857ca9c9e4ab7e9da7bdfa6c904654325f31d25934",
"WebsiteUrl": "devices-iot.console.gotoresolve.com",
"BaseUrl": "https://devices-iot.console.gotoresolve.com/",
"CompanyId": "81851397630695225",
"Product": 6,
"LogLevel": "2",
"Offline": "0",
"FleetTemplateName": "syn-prd-ava-unattended",
"Namespace": "syn-prd-ava-unattended",
"HealthCheckUrl": "https://health.console.gotoresolve.com/devices",
"CreatedAt": "1771586072149",
"SessionBackendUrl": "https://sessions.console.gotoresolve.com",
"AppletGeneratorUrl": "https://applet.console.gotoresolve.com",
"Region": "global",
"CustomBranding": "0",
"CustomBrandingTitle": "",
"CustomBrandingUrl": "https://custombranding.console.gotoresolve.com"
}
Every field here is an attribution data point. The CompanyId identifies the specific GoTo account. The publickey is bound to that account's cryptographic identity. The CreatedAt timestamp, when converted from epoch milliseconds, gives us 2026-02-20 11:14:32 UTC -- the exact moment this GoTo account was created.
And there are two accounts.
Two Accounts, Five Months Apart
By analyzing the certificate padding across all 18 samples, we extracted configuration data from two distinct GoTo accounts:
| Parameter | Account 1 (Older Wave) | Account 2 (Current Wave) |
|---|---|---|
| CompanyId | 5521834706441227281 | 81851397630695225 |
| Public Key | 6b6e7b198019d978... | 032ce4d95ef46a4f... |
| Created | 2025-09-29 01:12:41 UTC | 2026-02-20 11:14:32 UTC |
| Fleet Template | syn-prd-ava-unattended | syn-prd-ava-unattended |
| Cert Serial | 0e0c8767bb2d4fefc2d617df11ce1b89 | 0ead3a3ffa70c0a20ae2368189935153 |
| Samples Linked | 4 (invitations, Adobe Reader) | 13 (SSA, Zoom, MeetingApp) |
Account 1 was created on September 29, 2025. Account 2 was created on February 20, 2026 -- nearly five months later. The older account is associated with four samples using invitation and Adobe Reader themes. The newer account is tied to thirteen samples spanning SSA fraud, Zoom impersonation, and meeting application lures.
The account rotation suggests either that Account 1 was burned (reported to GoTo, flagged by defenders) or that the operator simply prefers fresh infrastructure for each campaign wave. Either way, the shared fleet template (syn-prd-ava-unattended) and consistent operational patterns link both accounts to the same threat actor.
This also means GoTo's Trust & Safety team has actionable data: two CompanyIds, two public keys, two cert serials. If those accounts have not already been terminated, they should be.
The Droppers: Two Flavors of VBScript
The MSI files do not distribute themselves. The delivery layer consists of VBScript droppers that handle the download, decoy display, and silent installation.
Variant 1: The catbox.moe Dropper
| Attribute | Value |
|---|---|
| SHA-256 | 2c2597aa2a1c69d26cf426ce1b13aa0292f570607b93d6ace05cfb999d101fbd |
| Size | 2,663 bytes |
| First Seen | 2026-03-08 |
| Detection | Kaspersky: Trojan-Downloader.Agent.HTTP.C&C |
This is the simpler variant. It downloads the MSI from files[.]catbox[.]moe, simultaneously opens a decoy PDF (also from catbox.moe) to maintain the illusion that the victim received a real document, then executes msiexec /i /qn for silent installation.
The obfuscation is minimal but functional: character substitution replaces XMLHTZP with XMLHTTP at runtime, enough to dodge basic string matching but not enough to survive any sandbox worth the name.
catbox.moe is a file hosting service popular with both meme enthusiasts and malware operators. The payloads have since been nulled (content-length: 0), suggesting either platform-side takedown or operator cleanup.
Variant 2: The Dropbox Dropper (Zoom Theme)
| Attribute | Value |
|---|---|
| SHA-256 | 8259aa849ddd7f1dbe5d4074ae7c6b23a202732a7b3e346629201b2073c63f69 |
| Size | 4,147 bytes |
| First Seen | 2026-03-10 |
| Filename | ZoomInstallerUpdate8.3.vbs |
The Dropbox variant is more sophisticated in its social engineering. Named ZoomInstallerUpdate8.3.vbs and also distributed as a ZIP archive, it downloads MeetingApp.msi from Dropbox, stores it in %USERPROFILE%\Music\deployment\ -- a path that will not raise flags in casual filesystem audits -- and uses ShellExecute "runas" to trigger a UAC elevation prompt.
The obfuscation here takes a different approach: fake business software variables (license keys, compliance checks) are scattered throughout the code, creating the appearance of a legitimate deployment script to anyone who opens it in a text editor. It is social engineering within social engineering -- the outer layer tricks the victim into running it, and the inner layer tricks any analyst who glances at the source.
The Dropbox URL has since returned 404, but the file was actively hosted as recently as March 10.
Six Social Engineering Themes, One Campaign
The breadth of social engineering themes is what elevates this from opportunistic script kiddie to organized campaign. Eighteen samples is not one operator testing a payload -- it is a distribution operation with segmented targeting.
Theme 1: SSA/Social Security (8 samples) -- US Targeting
The largest cluster. Eight MSI files with names like SSA_Statement.msi, SSA-E-Statementpdf.msi, and SSA ADMIN_STATEMENT.msi, all first seen between February 27 and March 7, 2026. These target US citizens with fake Social Security Administration statements -- a lure that is particularly effective against elderly populations who may be less likely to question an "official" document request.
| SHA-256 (truncated) | Filename | First Seen |
|---|---|---|
a87d9091e26c... | SSA_Statement.msi | 2026-03-07 |
73813e7ab280... | SSA-E-Statementpdf.msi | 2026-03-07 |
e8eed1f14fdb... | SSA ADMIN_STATEMENT.msi | 2026-02-27 |
e1849e82dc6a... | SSA-STATEMENT-PDFADMIN.msi | 2026-02-27 |
2c223853deec... | SSA_Statement_pdf.msi | 2026-02-27 |
2e863949ec50... | SSA ADMIN_STATEMENT.msi | 2026-02-27 |
dc972b649df9... | SSA_Statement_pdf.msi | 2026-02-27 |
0a0c51170da4... | SSA_E-STATEMENT_ADMIN.msi | 2026-02-27 |
Theme 2: Meeting/Zoom Applications (2 samples) -- Corporate Targeting
MeetingApp.msi and ZoomWorkspace.msi. Corporate users expect to install video conferencing software. These lures exploit that expectation.
Theme 3: Documents/PDF (2 samples) -- Generic Targeting
Documentt.exe (note the double-t typo -- OPSEC is hard) and Adobe Acrobat Reader.msi. The Adobe variant is particularly devious: who questions installing a PDF reader?
Theme 4: Invitations/Party (3 samples) -- Social Engineering
PartyCard.msi, EXCLUSIVE INVITATION.msi, Reservation Card.exe. These target curiosity and social pressure -- who does not want to see their exclusive invitation?
Theme 5: Portuguese/Brazil (1 sample) -- Regional Targeting
Orcamento2026.msi (Portuguese: "Budget 2026"). First seen March 4, 2026. This sample demonstrates the operator is not limited to English-speaking targets.
Theme 6: Generic (1 sample) -- The Lazy One
LogMeInResolve_Unattended.msi. No pretense. The oldest sample in the set (February 26, 2026), this may have been an early test before the operator started wrapping the installer in themed filenames.
Relay Infrastructure: Cloudzy, FranTech, and an Iranian Connection
All three relay IPs identified in this campaign sit within the 144.172.64.0/18 CIDR block allocated to FranTech Solutions (SYNDI-5), a hosting company registered in Cheyenne, Wyoming. FranTech operates the Cloudzy VPS brand -- and if that name rings a bell, it should.
In 2023, Halcyon Research published a detailed report documenting Cloudzy/FranTech as a bulletproof hosting provider servicing Iranian state-sponsored APTs (Lyceum/Hexane), North Korea's Lazarus Group, and various ransomware operators. The provider's infrastructure has appeared in threat intelligence reporting consistently since then.
| IP | PTR Record | Hostnames | Services | Status |
|---|---|---|---|---|
144[.]172[.]100[.]57 | 57.100.172.144.static.cloudzy.com | 1drv[.]ms[.]arihk[.]com | Apache 2.4.58, OpenSSH 9.6p1 | LIVE |
144[.]172[.]92[.]213 | 213.92.172.144.static.cloudzy.com | flyneohio[.]com | nginx 1.24.0, OpenSSH 9.6p1 | LIVE |
144[.]172[.]92[.]217 | 217.92.172.144.static.cloudzy.com | wzjxm[.]com | nginx 1.24.0, OpenSSH 9.6p1 | LIVE |
All three IPs are live at time of investigation. The use of Cloudzy tells us something about the operator's threat model: they expect abuse reports and want a provider that will not act on them quickly. This is not an operator who accidentally rented a VPS from a sketchy host -- this is a deliberate infrastructure choice.
The OneDrive URL Spoof
The most creative piece of infrastructure in this campaign is the subdomain 1drv[.]ms[.]arihk[.]com, which resolves to 144[.]172[.]100[.]57.
Microsoft's legitimate URL shortener for OneDrive is 1drv.ms. By registering a subdomain on arihk[.]com that prepends 1drv.ms, the threat actor creates URLs that look like Microsoft OneDrive links at a casual glance. The parent domain arihk[.]com was registered on Namecheap in 2000 (likely purchased or repurposed), uses FreeDNS nameservers (ns1-4.afraid.org), and has WHOIS privacy enabled through "Withheld for Privacy ehf."
This is a small but telling OPSEC detail. The operator understands that URL inspection is a real defense layer and invested effort in making their infrastructure blend in with legitimate Microsoft services. The use of FreeDNS -- a free subdomain hosting service -- keeps costs near zero while enabling rapid subdomain creation.
The Legitimate Software Problem
Here is the core issue that makes this campaign difficult to defend against:
The GoToResolve agent installed by this campaign is not modified. It is the actual, unaltered unattended-updater.exe binary compiled by GoTo's build system. The PDB path (C:\a\rescue-native-rescueassist\...\GoToResolveUnattendedUpdater.pdb) confirms it came from GoTo's CI/CD. The code signing certificate is valid through 2028. The binary requests requireAdministrator privileges through its manifest, installs itself as a Windows service, and registers with GoTo's cloud console at devices-iot.console.gotoresolve.com -- all legitimate AWS-hosted infrastructure.
| GoTo Console Endpoint | Backend |
|---|---|
devices-iot.console.gotoresolve.com | AWS IoT (us-east-1) |
sessions.console.gotoresolve.com | AWS EC2 |
applet.console.gotoresolve.com | AWS EC2 |
health.console.gotoresolve.com | CloudFront |
dumpster.console.gotoresolve.com | AWS EC2 (crash reporting) |
From a network perspective, the traffic between the installed agent and GoTo's cloud is indistinguishable from a legitimate GoToResolve deployment. The threat actor connects to the victim through GoTo's relay infrastructure, which then routes through the Cloudzy VPS IPs. Blocking GoTo's cloud domains would also break any authorized GoToResolve deployments in the environment.
This is the living-off-the-land problem taken to its logical extreme: the attacker is not abusing a system binary or a built-in Windows tool. They are abusing an entire commercial SaaS product.
Threat Actor Assessment
Attribution
- Confidence: LOW -- insufficient evidence for specific attribution to a known group
- Classification: Cybercrime
- Motivation: Financial -- remote access for fraud, data theft, or access-as-a-service
- Sophistication: Intermediate
The operator is skilled enough to maintain parallel delivery chains, rotate GoTo accounts, use bulletproof hosting, and implement URL spoofing. But the OPSEC is inconsistent: the VBS dropper obfuscation is basic, the Cloudzy/FranTech choice is well-documented as BPH in open-source reporting, and the CustomBranding flag is set to false -- a missed opportunity to make the GoTo confirmation dialog more convincing.
OPSEC Observations
The operator makes smart choices and sloppy choices in roughly equal measure:
Smart:
- Account rotation (September 2025, February 2026)
- Multiple delivery platforms (catbox.moe, Dropbox) for redundancy
- OneDrive URL spoofing via
1drv.ms.arihk.comon FreeDNS - Six social engineering themes targeting different demographics
- Bulletproof hosting on a provider known to ignore abuse reports
Sloppy:
- Cloudzy/FranTech is the first place any threat intel analyst looks for BPH
arihk[.]comregistered on Namecheap with privacy service -- but FreeDNS subdomains are publicly queryable- The
Documentt.exefilename has a double-t typo - No custom branding on GoTo confirmation dialog
- One VBS dropper uses character substitution so trivial (
XMLHTZPtoXMLHTTP) it would not survive a three-minute review
Campaign Timeline
| Date | Event |
|---|---|
| 2025-09-29 | GoTo Account 1 created (CompanyId 5521834706441227281) |
| 2026-01-30 | GoToResolve v1.31.1.908 compiled (embedded EXE build timestamp) |
| 2026-02-20 | GoTo Account 2 created (CompanyId 81851397630695225) |
| 2026-02-26 | First MalwareBazaar sample: LogMeInResolve_Unattended.msi |
| 2026-02-27 | SSA campaign wave: 8 samples submitted by NDA0E |
| 2026-03-02 | Invitation/party theme samples appear; Adobe Reader variant |
| 2026-03-04 | Brazilian targeting: Orcamento2026.msi |
| 2026-03-07 | Zoom/SSA samples with relay IP tags (BlinkzSec) |
| 2026-03-08 | VBS dropper (catbox.moe variant) captured by abuse.ch |
| 2026-03-09 | Documentt.exe variant |
| 2026-03-10 | MeetingApp.msi analyzed; Zoom dropper VBS/ZIP submitted from Belgium |
The five-month gap between Account 1's creation (September 2025) and the first MalwareBazaar sample (February 2026) is notable. Either there was a preparatory phase we cannot observe, early samples were distributed but never submitted to public repositories, or Account 1 was used for a different campaign entirely before being recycled into this one.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Link | T1566.002 | SE emails/messages linking to VBS droppers on Dropbox/catbox.moe |
| Execution | User Execution: Malicious File | T1204.002 | Victim runs VBS dropper or MSI directly |
| Execution | Command and Scripting Interpreter: VBS | T1059.005 | VBS droppers download and execute MSI |
| Defense Evasion | System Binary Proxy Execution: Msiexec | T1218.007 | msiexec.exe runs GoToResolve MSI silently (/quiet /norestart) |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | MSI named as Zoom, Adobe Reader, SSA documents |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | Valid GoTo Technologies USA, LLC DigiCert certificate |
| Persistence | Remote Access Software | T1219 | GoToResolve installed as persistent Windows service |
| Command and Control | Remote Access Software | T1219 | C2 via GoTo's legitimate cloud relay infrastructure |
| Command and Control | Proxy: External Proxy | T1090.002 | Cloudzy/FranTech VPS as relay for operator access |
Indicators of Compromise
Network Indicators
Relay Infrastructure (Cloudzy/FranTech BPH):
144[.]172[.]100[.]57
144[.]172[.]92[.]213
144[.]172[.]92[.]217
Domains:
1drv[.]ms[.]arihk[.]com (OneDrive URL spoof -> 144.172.100.57)
arihk[.]com (parent domain, Namecheap, FreeDNS)
flyneohio[.]com (on 144.172.92.213)
wzjxm[.]com (on 144.172.92.217)
Delivery URLs:
hxxps://files[.]catbox[.]moe/jsrzb0.msi
hxxps://files[.]catbox[.]moe/cu4yv6.pdf
hxxps://dl[.]dropboxusercontent[.]com/scl/fi/7skctqxj1674j1ukx9asw/MeetingApp.msi?rlkey=u68yv32nxibdkihng2czzx093&st=uxpkiieu&dl=1
File Indicators -- MSI Installers (SHA-256)
| Hash | Filename | Theme |
|---|---|---|
c1ee59108378686091c53a1259db7f467e3f3301b73f2f2523f70235ae11f68f | MeetingApp.msi | Zoom/Meeting |
c6a09cbbd82ccf6a85d570f2f8606777984ae26e8394a2645bf195c4b60ad8dc | ZoomWorkspace.msi | Zoom/Meeting |
a87d9091e26c03a31bc7e6cff7502a8602d795c60f49466c4bd808acb42e905c | SSA_Statement.msi | SSA |
73813e7ab280691da1ba021e45081f7150da8e92a609c8ea668695df21a08697 | SSA-E-Statementpdf.msi | SSA |
60c0a42b8f0a12f279edd2d77ba8a90c4043aa4beb638440d9737824ed21449a | Orcamento2026.msi | Portuguese/Brazil |
b6058200e2b4f66ac270e3e74dd1791eff64e1b337b8cc7689ca96daaa3fa114 | PartyCard.msi | Invitation |
89484b25ffa35ad606e8f834021c143682bf58300d2d53e439ae87f474278b41 | EXCLUSIVE INVITATION.msi | Invitation |
2593ba89dcb356927f13ce11a05c82268b898542de3e3d0a3a4595b3a05e32c3 | Adobe Acrobat Reader.msi | Document/PDF |
e8eed1f14fdb46bb0fa0a7f75b24bd7917264203129f6850f6faeb446d46b53b | SSA ADMIN_STATEMENT.msi | SSA |
e1849e82dc6ab6a8f3cf264bc426681cc252b940ee8d7d7e8f4f8dad971f84d8 | SSA-STATEMENT-PDFADMIN.msi | SSA |
2c223853deec24258e623a88c9fb3995e3cc6022683b1495477ee533cb3a5ff2 | SSA_Statement_pdf.msi | SSA |
2e863949ec50b1bdef0eacbcacb8a8adddcf1b02b74c2f3f5e221bdd9b6a075a | SSA ADMIN_STATEMENT.msi | SSA |
dc972b649df9362fc603699f32ddef1147c6e7f969716ef9f7921714ac102e39 | SSA_Statement_pdf.msi | SSA |
0a0c51170da4483e4593f0290c17826907b91998ada8900270bed20fd0b85e09 | SSA_E-STATEMENT_ADMIN.msi | SSA |
0dc9fa7f1bbc2d843b6ac138b998d8aeeae4fd9d1a33ce60ef2e24ff2644a70f | LogMeInResolve_Unattended.msi | Generic |
File Indicators -- EXE Variants
| Hash | Filename |
|---|---|
c37f242047aef3d35f06639206de1f2ce356e5e9d1c8cddb34e16551dae9da0b | Documentt.exe |
3a6638b22a50459ac9aadf6029dc9411a8dd87f334b8c4298ade2bfd9b177e06 | Reservation Card.exe |
File Indicators -- Droppers
| Hash | Filename | Type |
|---|---|---|
2c2597aa2a1c69d26cf426ce1b13aa0292f570607b93d6ace05cfb999d101fbd | (catbox.moe dropper) | VBS |
8259aa849ddd7f1dbe5d4074ae7c6b23a202732a7b3e346629201b2073c63f69 | ZoomInstallerUpdate8.3.vbs | VBS |
c22808c338b7dd266338752fd419f82d8761e9920dc99467ca2bf9683948ed96 | ZoomInstallerUpdate8.3.zip | ZIP |
File Indicators -- Embedded Components
| Hash | Component |
|---|---|
1c47ddb0b5e1ba5daccbfa72fffad2f93a658d0370382086f7b841aa654555b0 | unattended-updater.exe (GoToResolve agent) |
d3d2c268fee70b2514c4f66d889c80654f463e0a762a75823771cd978c058b5a | installerCustomActions.dll (cert padding extractor) |
Behavioral Indicators
GoTo Account Identifiers (for MSI log hunting):
CompanyId: 81851397630695225 (current wave)
CompanyId: 5521834706441227281 (older wave)
Fleet Template: syn-prd-ava-unattended
Registry Keys:
HKLM\SOFTWARE\GoTo Resolve Unattended
HKLM\SOFTWARE\GoTo Resolve Customer Attended App
Install Path:
%ProgramFiles%\GoTo Resolve Unattended\
Code Signing Certificates:
Thumbprint: e1ce3e36056006f8b8cdb33af5380a4f7a3058adbdb2bdd69648b07079dfb700 (2025 cert)
Thumbprint: b3f972ad3a7c4f1dbc300675475faf751e0e61f6d3760286146dcabbf45bf76a (2024 cert)
Subject: "GoTo Technologies USA, LLC"
Issuer: "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
MSI GUIDs:
Product Code: {6F923F04-FB58-4346-85A8-7B1DC182AFF0}
Upgrade Code: {D07D1788-7E11-400F-A595-5C534B3C7481}
Detection Guidance
Hunt Queries
The most effective detection approach for this campaign is not signature-based -- it is behavioral. You are looking for unauthorized RMM installations, not malware.
Priority 1: Unauthorized GoToResolve installations. Query your software inventory or EDR for unattended-updater.exe or the registry key HKLM\SOFTWARE\GoTo Resolve Unattended on any endpoint where GoToResolve is not an approved tool. If your organization does not use GoToResolve, this is a zero-false-positive hunt.
Priority 2: MSI execution from anomalous paths. Look for msiexec.exe executing MSI files from %TEMP%, %USERPROFILE%\Music\, %USERPROFILE%\Downloads\, or any path outside your standard software deployment directories. The Dropbox dropper specifically stages to Music\deployment\.
Priority 3: VBScript spawning msiexec. In environments that do not use VBScript for software deployment (which is most of them in 2026), wscript.exe or cscript.exe spawning msiexec.exe is a high-fidelity detection.
Priority 4: Network connections to Cloudzy IP ranges. Block or alert on traffic to the 144.172.64.0/18 CIDR block. While this will occasionally catch legitimate Cloudzy customers, the false positive rate is low enough that it is worth the trade-off in most environments.
YARA Rules
rule GoToResolve_Abuse_MSI {
meta:
description = "Detects GoToResolve MSI installers with injected CompanyId in cert padding"
author = "GHOST - Breakglass Intelligence"
date = "2026-03-10"
reference = "Breakglass Intel - GoToResolve RMM Abuse Campaign"
tlp = "WHITE"
strings:
$msi_magic = { D0 CF 11 E0 A1 B1 1A E1 }
$product_name = "LogMeIn Resolve Unattended" ascii wide
$company_id_marker = "CompanyId" ascii
$fleet_template = "syn-prd-ava-unattended" ascii
$goto_console = "devices-iot.console.gotoresolve.com" ascii
$gets_replaced = "[GetsReplacedByBackend]" ascii
$account1 = "81851397630695225" ascii
$account2 = "5521834706441227281" ascii
condition:
$msi_magic at 0 and $product_name and $company_id_marker and
(
$fleet_template or $goto_console or $gets_replaced or
$account1 or $account2
)
}
rule GoToResolve_VBS_Dropper {
meta:
description = "Detects VBS droppers delivering GoToResolve MSI"
author = "GHOST - Breakglass Intelligence"
date = "2026-03-10"
strings:
$catbox = "catbox.moe" ascii nocase
$msi_ext = ".msi" ascii nocase
$msiexec = "msiexec" ascii nocase
$xmlhttp = "XMLHTTP" ascii nocase
$adodb = "ADODB.Stream" ascii nocase
$obf1 = "Replace(" ascii
$dropbox = "dropboxusercontent.com" ascii nocase
$quiet = "/quiet" ascii nocase
$runas = "runas" ascii nocase
condition:
filesize < 10KB and
($xmlhttp or $adodb) and
($msi_ext and $msiexec) and
($catbox or $dropbox) and
($obf1 or $quiet or $runas)
}
Sigma Rule (Conceptual)
title: GoToResolve Unattended Installation from Suspicious Path
status: experimental
description: Detects msiexec installing GoToResolve from non-standard deployment paths
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\powershell.exe'
selection_child:
Image|endswith: '\msiexec.exe'
CommandLine|contains:
- 'GoTo'
- 'LogMeIn'
- 'Resolve'
- '/quiet'
- '/qn'
condition: selection_parent and selection_child
falsepositives:
- Authorized GoToResolve deployments via script
level: high
Recommended Actions
Immediate (24-48 hours)
- Block relay IPs at the network perimeter:
144[.]172[.]100[.]57,144[.]172[.]92[.]213,144[.]172[.]92[.]217 - Block domains:
1drv[.]ms[.]arihk[.]com,arihk[.]com,flyneohio[.]com,wzjxm[.]com - Hunt for GoTo CompanyIds in MSI installer logs and registry:
81851397630695225and5521834706441227281 - Audit all GoToResolve Unattended installations -- if you do not use GoToResolve, any installation is malicious
- Block catbox.moe at the proxy if not business-critical
Short-term (1-2 weeks)
- Report GoTo accounts (
81851397630695225,5521834706441227281) to GoTo Trust & Safety for termination - Submit abuse reports to FranTech/Cloudzy for the three relay IPs
- Deploy YARA rules above to email gateway and endpoint scanning
- Implement application allowlisting for RMM tools -- only permit RMM agents authorized by IT
Medium-term (1-3 months)
- Conduct an RMM audit -- inventory every remote access tool across the environment, authorized or otherwise
- Block unauthorized RMM traffic at the firewall (GoTo relay domains/IPs unless authorized)
- User awareness training specifically addressing RMM tool abuse -- "legitimate software can be weaponized"
- Monitor MalwareBazaar GoToResolve tag for new campaign variants
Sandbox References
- CAPE Sandbox (MSI): https://www.capesandbox.com/analysis/56922/
- CAPE Sandbox (VBS dropper, Dropbox): https://www.capesandbox.com/analysis/56921/
- CAPE Sandbox (VBS dropper, catbox.moe): https://www.capesandbox.com/analysis/56634/
- Triage (VBS dropper): https://tria.ge/reports/260308-hydllscz8v/
References
- MalwareBazaar GoToResolve tag: https://bazaar.abuse.ch/browse/tag/GoToResolve/
- URLhaus entry: https://urlhaus.abuse.ch/url/3793556/
- Halcyon Research -- Cloudzy BPH (2023): Documented FranTech/Cloudzy providing hosting to Iranian APTs
- CISA Advisory AA23-025A -- RMM Tool Abuse (2023): https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a
- GoTo official site: https://www.goto.com/it-management/resolve
Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 18 samples mapped. 2 GoTo accounts extracted. 3 relay IPs on bulletproof hosting. 6 social engineering themes. 1 legitimately signed backdoor your EDR trusts. Classification: TLP:CLEAR