Hackers Use Fake Paypal Notices To Steal Credentials, Deploy Rmms

A new wave of phishing-led intrusions abusing legitimate remote monitoring and management (RMM) tools has been documented, with attackers using fake PayPal alerts to gain both personal and corporate access.

The activity, documented in an advisory published by Cyberproof on Tuesday, marks a shift away from seasonal lures toward high-urgency financial themes, while highlighting how trusted remote access software continues to be weaponized to evade detection.

Earlier waves relied on decoy messages such as holiday party invitations, tax notices or document signing requests. The latest incidents instead exploit fake PayPal warnings designed to provoke immediate action.

CyberProof researchers examined six incidents across customer environments, including one case in which an employee’s personal PayPal account served as the initial entry point.

On January 5 2026, the company’s Managed Detection and Response (MDR) team identified suspicious activity that later escalated into corporate access.

The attack began with a fraudulent PayPal email, followed by phone-based social engineering. Posing as support staff, the attacker convinced the victim to install legitimate remote access software.

LogMeIn Rescue was deployed first, before the threat actor pivoted to AnyDesk to maintain access. No endpoint detection and response (EDR) alerts were triggered during the intrusion.

Read more on RMM tool abuse and defense: Remote Control Cybercrime: An RMM Protection Guide for MSPs

For context, attackers using one RMM tool to install another is a pattern also noted recently in research from Broadcom.

This approach appears intended to reduce the likelihood of detection and possibly to cycle through trial licences to avoid expiration.

Source: InfoSecurity Magazine