EXECUTIVE SUMMARY
Threat actors are distributing legitimate Remote Monitoring and Management (RMM) tools via fake Notepad++ and 7-Zip websites, using them as the initial access vector instead of traditional malware. These signed tools evade antivirus detection, attackers gain persistent remote control and rapidly deploy backdoors, ransomware, and follow-on payloads.
- Active Region: Global
- Affected Sector: Individuals and Enterprises (cross-sector)
- Affected Product: Fake Notepad++ and 7-Zip download websites delivering abused RMM tools such as LogMeIn Resolve, PDQ Connect, and similar utilities
- Severity: High
- Published Date: January 27, 2026
TECHNICAL DETAILS
- Target: Individual users, small businesses, and enterprise endpoints—particularly non-admin workstations—where users search for and download commonly used free utilities (e.g., Notepad++, 7-Zip), providing attackers an initial foothold that can later expand into corporate networks.
- Root Cause: Lack of robust verification in software acquisition workflows combined with attacker abuse of digitally signed, legitimate RMM tools. Threat actors exploit user trust in well-known brands and the implicit trust security products place in sanctioned IT administration software.
- Prerequisite For Exploitation: Successful social engineering leading a user to a spoofed download page (via SEO poisoning, malvertising, or phishing), followed……
