No Malware Required: How a Legitimately Signed GoToResolve Installer Delivers Full Remote Access to Attackers
TL;DR: A legitimately code-signed GoToResolve MSI installer, disguised as a Portuguese-language financial document ("Orçamento2026" -- Budget 2026), installs a persistent unattended remote access agent that phones home to the attacker's GoTo account. There is no malware, no exploit, and no stolen certificate -- just a real remote management tool weaponized through GoTo's own portal, with the attacker's full account configuration extractable from the MSI's digital signature stream.
Why This Matters
Most defenders build detection around the assumption that malicious software will look malicious -- a suspicious binary, an unsigned executable, a known-bad hash. This sample breaks every one of those assumptions. The MSI is signed by GoTo Technologies USA, LLC through DigiCert's code signing chain, valid through August 2028. Windows SmartScreen trusts it. Seventy-five percent of antivirus engines pass it clean. Application whitelisting policies that permit signed RMM tools will not flag it.
The entire attack is what researchers increasingly call Living Off Trusted Software (LOTS): the attacker uses GoTo's own infrastructure to generate a signed installer, embeds their account credentials into it, renames it to a Portuguese-language financial lure, and distributes it. Once installed, the GoToResolve Unattended agent registers with the attacker's account and provides full persistent remote access -- remote desktop, file transfer, command execution, keystroke capture -- all tunneled through legitimate GoTo HTTPS endpoints that are indistinguishable from authorized corporate RMM traffic.
The sample was uploaded to MalwareBazaar on March 4, 2026, one day after the MSI was generated. BGI flagged it for investigation. What follows is a complete teardown.
Attack Chain
STAGE 1 — DELIVERY
Victim receives "Orçamento2026.msi" (Portuguese: "Budget 2026")
Likely delivered via email attachment or download link
Target audience: Brazilian / Portuguese-speaking organizations
STAGE 2 — TRUST ESTABLISHMENT
Windows validates code signature:
Subject: GoTo Technologies USA, LLC
Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Status: VALID (not expired, not revoked)
SmartScreen shows trusted publisher — no warning banner
STAGE 3 — SOCIAL ENGINEERING GATE
MSI displays GoTo's confirmation dialog:
"You're about to allow remote access to your device.
For your protection, proceed only if you trust the
source of this installer."
Victim clicks through — they trust the "Budget 2026" document
STAGE 4 — INSTALLATION
Deploys unattended-updater.exe (24.5 MB) to:
%ProgramFiles%\GoTo Resolve Unattended\
Registers as Windows service (-regsvc)
Sets ARPNOMODIFY + ARPNOREPAIR (prevents repair/modification)
STAGE 5 — COMMAND AND CONTROL
Agent connects to devices-iot.console.gotoresolve.com
Registers under CompanyId: 1628023131762587722
Attacker gains persistent remote access via GoTo console
There are no post-exploitation tools, no shellcode, and no lateral movement kit. The attacker does not need any of that -- GoToResolve provides remote desktop, remote shell, file transfer, and SYSTEM-level persistence out of the box.
Extracting the Attacker's Configuration
The most significant analytical finding is that the attacker's GoToResolve account configuration is embedded in the MSI and fully recoverable. GoTo's installer generation process bakes the customer's account details into the MSI package, including a JSON configuration block stored within the digital signature stream. Parsing the signature data yields:
{
"publickey": "c6ba9ac528bac3acaacbc6bf50d13748ffb5f664726d9df0370660988fa5b7d5",
"WebsiteUrl": "devices-iot.console.gotoresolve.com",
"BaseUrl": "https://devices-iot.console.gotoresolve.com/",
"CompanyId": "1628023131762587722",
"Product": 6,
"FleetTemplateName": "syn-prd-ava-unattended",
"Namespace": "syn-prd-ava-unattended",
"HealthCheckUrl": "https://health.console.gotoresolve.com/devices",
"CreatedAt": "1772541066367",
"SessionBackendUrl": "https://sessions.console.gotoresolve.com",
"AppletGeneratorUrl": "https://applet.console.gotoresolve.com",
"Region": "global"
}
The CreatedAt timestamp (1772541066367) decodes to 2026-03-03 12:31:06 UTC -- the exact moment GoTo's portal generated this installer. The CompanyId (1628023131762587722) uniquely identifies the attacker's GoTo account and is directly reportable to GoTo for takedown. The fleet template syn-prd-ava-unattended confirms this is a production unattended access deployment, not a one-time support session.
This configuration extraction technique applies to any weaponized GoToResolve MSI and should be incorporated into incident response playbooks. Every GoToResolve MSI carries the generating account's identity.
MSI Package Forensics
Package Metadata
| Field | Value |
|---|---|
| Filename | Orçamento2026.msi |
| Size | 24,530,944 bytes (23.4 MB) |
| SHA256 | 60c0a42b8f0a12f279edd2d77ba8a90c4043aa4beb638440d9737824ed21449a |
| Product | LogMeIn Resolve Unattended v1.31.1.908 |
| ProductCode | {6F923F04-FB58-4346-85A8-7B1DC182AFF0} |
| UpgradeCode | {D07D1788-7E11-400F-A595-5C534B3C7481} |
| Manufacturer | GoTo, Inc. |
| Install Path | %ProgramFiles%\GoTo Resolve Unattended\ |
Code Signing Certificate
| Field | Value |
|---|---|
| Subject CN | GoTo Technologies USA, LLC |
| Issuer | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 |
| Algorithm | sha384WithRSAEncryption |
| Valid | 2025-08-21 through 2028-08-22 |
| Serial | 0ead3a3ffa70c0a20ae2368189935153 |
| Thumbprint (SHA256) | e1ce3e36056006f8b8cdb33af5380a4f7a3058adbdb2bdd69648b07079dfb700 |
| Incorporation | Delaware, Entity #59841121 |
This is GoTo's real, current production certificate -- not stolen, not leaked. GoTo's portal generates and signs these installers on demand for any account holder. The certificate will remain valid until August 2028.
Embedded Payload
The MSI contains a single embedded CAB archive with three components:
| File | Size | Purpose |
|---|---|---|
unattended-updater.exe | 24,494,600 bytes | GoToResolve Unattended agent binary (compiled 2026-01-30) |
installer-customactions.dll | 845,352 bytes | Custom action DLL (PE32, x86) |
| Product icon | 5,430 bytes | GoToResolve application icon |
The custom action DLL exports three functions: SetCompanyIdFromInjectedParametersFunction, SetInstallConfirmationTextsFunction, and SetProductNameFromInjectedParametersFunction. Its PDB path (C:\a\rescue-native-rescueassist\rescue-native-rescueassist\build\RelWithDebInfo\installer-customactions.pdb) confirms it is GoTo's own build artifact, compiled on the same date as the main binary (2026-01-30). During installation, this DLL reads the injected configuration and sets the MSI properties that bind the agent to the attacker's CompanyId.
Post-Installation Capabilities
Once installed, the GoToResolve Unattended agent provides the attacker with a comprehensive remote access toolkit, all through GoTo's legitimate infrastructure:
- Remote desktop and screen control -- full interactive access to the victim's display
- Remote shell and command execution -- arbitrary command execution with SYSTEM privileges
- File transfer -- bidirectional file upload and download
- Keystroke capture -- via AddClipboardFormatListener and input monitoring
- Persistence -- Windows service plus scheduled tasks, survives reboots
- Encrypted C2 -- all communications over HTTPS to
*.console.gotoresolve.com, indistinguishable from legitimate GoTo traffic
Sandbox analysis (Triage score 7/10) confirmed additional behaviors: PowerShell usage, service creation via sc.exe, WriteProcessMemory calls, COM object interaction, Volume Shadow Copy API access, and file drops into System32, Program Files, and Windows directories. Anti-debugging checks (DebuggerCheck__API) were also flagged via YARA.
The Broader Threat: RMM Tool Abuse in 2025-2026
This sample is not an isolated case. GoToResolve abuse has surged throughout 2025 and into 2026, documented by multiple security vendors:
- Blackpoint Cyber (October 2025) documented GoToResolve-to-ScreenConnect attack chains across 13 industry verticals, noting that GoToResolve triggers fewer security alerts than ScreenConnect, making it an ideal first-stage foothold.
- Cisco Talos tracked spam campaigns specifically targeting Brazil using NF-e (electronic invoice) lures to deploy RMM tools, assessing the operators as Initial Access Brokers (IABs) selling footholds to ransomware groups.
- Huntress (2025) documented multi-RMM chaining: GoToResolve to SimpleHelp to ScreenConnect, establishing redundant access paths.
- Symantec/Broadcom (late 2025) reported an "Unwanted Gifts" campaign distributing GoToResolve through holiday invitation lures.
- KnowBe4/Acumen (January 2026) identified a global campaign using GoToResolve with stolen credentials and COM-based persistence for SYSTEM-level access.
- Microsoft (March 3, 2026) published an advisory on signed malware deploying RMM backdoors -- one day before this sample appeared on MalwareBazaar.
The operational pattern is consistent: attackers create free or low-cost RMM accounts, generate legitimately signed installers through the vendor's portal, wrap them in social engineering lures, and distribute. The technique requires zero malware development capability and produces artifacts that most security tooling trusts by default.
Attribution Assessment
The Portuguese-language filename "Orçamento2026" (Budget 2026) directly indicates targeting of Brazilian or Portuguese-speaking organizations. This is consistent with a well-documented cluster of Brazilian cybercrime actors and Initial Access Brokers who share a common playbook:
- Abuse of legitimate RMM tools (GoToResolve, AnyDesk, TeamViewer, ScreenConnect)
- Portuguese-language financial lures (NF-e invoices, boletos, budget documents, receipts)
- Targeting of Brazilian businesses, government agencies, and C-level executives
- Operation as IABs who monetize access by selling to ransomware operators
The operational cost is negligible: create a GoTo account, generate an unattended installer through the portal, rename the MSI to a convincing Portuguese-language filename, and distribute via email or web hosting. No custom tooling, no infrastructure to maintain, no certificates to steal.
MITRE ATT&CK Mapping
| Technique | ID | Stage |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Initial Access |
| User Execution: Malicious File | T1204.002 | Execution |
| Remote Access Software | T1219 | Command and Control |
| Signed Binary Proxy Execution | T1218 | Defense Evasion |
| Subvert Trust Controls: Code Signing | T1553.002 | Defense Evasion |
| Create or Modify System Process: Windows Service | T1543.003 | Persistence |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Defense Evasion |
Defensive Recommendations
1. Maintain an authorized RMM inventory. If GoToResolve is not an approved tool in your environment, block its installation and execution. Application control policies should explicitly deny unattended-updater.exe and the GoTo Resolve Unattended service unless whitelisted by IT.
2. Monitor for unauthorized RMM service installations. Alert on creation of services matching GoToResolve, LogMeIn Resolve, or any GoTo Resolve Unattended service name. Sysmon Event ID 6 (driver/service load) and Windows Event ID 7045 (new service installed) are the primary telemetry sources.
3. Detect rogue CompanyIds. If GoToResolve is legitimately used in your environment, maintain a list of authorized CompanyIds. Any GoToResolve agent registering with an unknown CompanyId -- particularly 1628023131762587722 -- is a compromise indicator. Check the registry and GoToResolve configuration files on endpoints.
4. Inspect MSI metadata before execution. Security teams should extract and review MSI product names, manufacturer fields, and embedded configurations before permitting installation. A GoToResolve MSI named "Orçamento2026.msi" is an immediate red flag.
5. Network-level detection. While blocking *.console.gotoresolve.com is impractical if GoTo products are in use, monitor for connections to GoTo infrastructure from endpoints that should not be running RMM tools. Correlate with asset inventory data.
6. User awareness training. Educate users that a valid code signature does not mean a file is safe. The GoToResolve confirmation dialog ("You're about to allow remote access") is the last defensive gate -- users must understand that clicking through grants full machine access to an unknown party.
7. Report weaponized CompanyIds. Forward extracted CompanyIds to GoTo's abuse team for account takedown. The attacker's account (1628023131762587722) can be disabled server-side, severing access to all compromised endpoints simultaneously.
Indicators of Compromise
File Hashes
| File | Hash Type | Value |
|---|---|---|
| Orçamento2026.msi | SHA256 | 60c0a42b8f0a12f279edd2d77ba8a90c4043aa4beb638440d9737824ed21449a |
| Orçamento2026.msi | MD5 | 7ff4e86d5dea2840bae7141d66bbba0d |
| Orçamento2026.msi | TLSH | T1483733207649C171F53E10B289286BBF427D6D320F6580DBB3DCFE9A5B312C16B36A56 |
| installer-customactions.dll | SHA256 | d3d2c268fee70b2514c4f66d889c80654f463e0a762a75823771cd978c058b5a |
Network Indicators
| Endpoint | Purpose |
|---|---|
devices-iot.console.gotoresolve[.]com | Agent C2 backend |
sessions.console.gotoresolve[.]com | Session management |
health.console.gotoresolve[.]com | Agent health checks |
applet.console.gotoresolve[.]com | Applet generation |
custombranding.console.gotoresolve[.]com | Custom branding assets |
secure.logmein[.]com | Certificate validation |
Note: All network endpoints are legitimate GoTo infrastructure. Blocking them will disrupt authorized GoTo usage. Detection must focus on unauthorized installations and rogue CompanyIds, not network destinations.
Attacker Account Identifiers
| Field | Value |
|---|---|
| GoTo CompanyId | 1628023131762587722 |
| Public Key | c6ba9ac528bac3acaacbc6bf50d13748ffb5f664726d9df0370660988fa5b7d5 |
| Fleet Template | syn-prd-ava-unattended |
| MSI Generation Time | 2026-03-03 12:31:06 UTC |
Detection Signatures
| Source | Value |
|---|---|
| MSI ProductCode | {6F923F04-FB58-4346-85A8-7B1DC182AFF0} |
| MSI UpgradeCode | {D07D1788-7E11-400F-A595-5C534B3C7481} |
| Certificate Serial | 0ead3a3ffa70c0a20ae2368189935153 |
| Certificate Thumbprint | e1ce3e36056006f8b8cdb33af5380a4f7a3058adbdb2bdd69648b07079dfb700 |
Conclusion
This sample represents the maturation of a trend that defenders cannot afford to ignore: the weaponization of legitimate, trusted software through vendor-provided distribution channels. The attacker invested nothing in malware development, exploit research, or infrastructure -- GoTo's own portal handled code signing, payload generation, and C2 infrastructure. The only "attacker" artifact is the social engineering wrapper: a renamed MSI file.
The defensive challenge is fundamental. Traditional detection models that rely on file reputation, signature validation, or known-bad hashes will fail against this class of threat. The binary is legitimate. The signature is valid. The network traffic goes to trusted endpoints. Detection must shift to behavioral indicators: unauthorized RMM installations, rogue account identifiers, and anomalous remote access patterns.
For incident responders encountering GoToResolve agents of unknown origin: extract the CompanyId from the agent configuration, cross-reference it against your authorized RMM inventory, and report rogue accounts to GoTo for takedown. The attacker's CompanyId is their identity -- and in this case, it is fully exposed.
Analysis by Breakglass Intelligence. Sample sourced from MalwareBazaar. Sandbox references: Triage 260304-rd357scs9z, CAPE 55595.