GoTo Resolve
GoTo Resolve is a legitimate remote monitoring and management (RMM) / remote access tool that has been observed abused by attackers as part of phishing-led intrusion chains to establish persistent remote access. In the reported activity, KnowBe4 Threat Labs described a dual-vector campaign, also referred to as “Skeleton Key,” in which Greenvelope invitation-spoofing emails redirected victims to fake login pages for credential harvesting. Attackers then used the stolen credentials to generate legitimate RMM access tokens and deployed GoTo Resolve, alongside LogMeIn, via a file named GreenVelopeCard.exe. The executable was described as legitimately signed by GoTo Technologies USA, LLC and used to inject the RMM components to evade signature-based detection.
The campaign targeted organizations globally and used GoTo Resolve for unattended, silent remote control. Reported post-installation behavior included manipulation of Windows service settings and registry configuration, abuse of the Windows Service Control Manager, and creation of concealed scheduled tasks through the Windows COM API to maintain stealth and persistence. The activity sought SYSTEM-level privileges after RMM deployment. Network traffic was routed over encrypted HTTPS to official GoTo infrastructure to blend with legitimate operations.
High-confidence infrastructure and configuration details directly mentioned include console[.]gotoresolve[.]com and devices-iot[.]console[.]gotoresolve[.]com as production servers, dumpster.console.gotoresolve.com as an HTTPS GoTo production server, dumpster.dev01-console.gotoresolve.com as a secondary development channel, and settings.cc as a fallback domain for updated configuration scripts. Separate reporting also described abuse of trusted *.vercel.app domains with financial lures to deliver the legitimate GoTo Resolve tool, using a Telegram-gated delivery mechanism to filter researchers and automated sandboxes. Defenders were advised to monitor for unauthorized RMM deployments, anomalous GoTo Resolve or LogMeIn usage, suspicious identity activity, and related indicators of compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Stealth
2 techniques
Stealth
Lateral Movement
1 technique
Lateral Movement
IOCs tracked for this family
31 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate remote access/remote support tool delivered via phishing to enable attacker-controlled remote access.
A legitimate remote monitoring and management tool abused by threat actors for stealthy remote access, including routing traffic to GoTo infrastructure over encrypted HTTPS.
Legitimate Remote Monitoring and Management (RMM) software abused post-credential-theft to establish persistent unattended remote access (backdoor-like capability) by installing silently and connecting to attacker-controlled GoTo Resolve accounts/infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.