By rssfeeds-admin 
The operation is wide in reach and strikes some of the most sensitive sectors in the country, including banking, government, technology, and healthcare, pointing to a deliberate effort to compromise high-value targets across multiple industries at once.
The threat actors behind this campaign have put together a well-organized attack chain that begins with a convincing lure and ends with full remote access to a victim’s corporate network.
What makes this campaign especially concerning is its layered approach. Rather than relying on a single method, the attackers combine credential theft, one-time password (OTP) interception, and the quiet deployment of Remote Monitoring and Management (RMM) software into one coordinated operation.
This multi-stage method makes the campaign significantly harder to catch before real damage is done.
Analysts at ANY.RUN identified the campaign after closely examining the full attack chain in their interactive sandbox environment.
𝗔𝗟𝗘𝗥𝗧: 𝗨𝗦-𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱 #𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗶𝗻𝗴 𝗥𝗲𝗺𝗼𝘁𝗲 𝗔𝗰𝗰𝗲𝘀𝘀 𝗕𝗹𝗶𝗻𝗱 𝗦𝗽𝗼𝘁𝘀
A large-scale campaign is targeting U.S. organizations with fake event invitations. Attackers combine credential theft with OTP… pic.twitter.com/RiX1OYhiS6— ANY.RUN (@anyrun_app) April 29, 2026
Their findings show that several phishing pages carry clear signs of AI-assisted creation, suggesting the attackers are using automated processes to generate convincing content at speed.
Embedded code within these pages also confirms the reuse of well-known phishing kits, which allows the operators to build fresh phishing pages quickly and swap out old infrastructure whenever existing domains get flagged or taken offline by security vendors.
The campaign’s infrastructure adds another layer of difficulty for defenders. Phishing domains are carefully built to look legitimate, closely mimicking trusted business websites. This convincing appearance delays detection and gives attackers more time inside a target environment before anyone realizes something is wrong.
The real danger, however, comes after the phishing page. Instead of stopping at credential theft, the attackers go on to install recognized RMM tools like ScreenConnect, ITarian, and Datto RMM onto victim machines, establishing a persistent and difficult-to-detect foothold inside the corporate environment.
These tools are part of everyday life for many legitimate IT departments, which is exactly what makes them so useful to threat actors.
Security filters rarely block RMM software outright, and their presence tends to blend in with normal administrative activity across a network.
This gives attackers the ability to maintain quiet, long-term access to compromised systems without drawing immediate attention.
How the Attack Flows
The infection sequence begins when a target lands on a CAPTCHA page, which acts as a filter designed to separate real users from automated scanners. Once through, the victim is shown what appears to be a genuine event invitation.
At this point, the attack splits into two distinct paths. Along one path, the victim is taken to a fake login page where credentials are captured.
Along the other, an RMM installer begins downloading to the victim’s machine automatically, with no additional action required from the user.
The automatic download is particularly significant because access can be established before the victim realizes anything is wrong.
The attacker gains a foothold early in the execution chain, well before a typical security alert would fire. Even as the campaign’s infrastructure shifts over time, the attackers maintain consistent and repeatable patterns.
Fixed resource paths such as /Image/*.png appear across phishing domains, and sequential web requests moving from /favicon.ico through /blocked.html into phishing content stay predictable across different campaign versions. These stable patterns make early detection possible, before credentials are even entered.
Security teams are advised to closely monitor for RMM tool installations that occur outside of approved IT workflows. Outbound connections to RMM platforms that have not been explicitly authorized by the organization should be reviewed and restricted.
Flagging CAPTCHA-based redirect chains linked to unfamiliar domains, and watching for web request sequences that match known phishing patterns, can help teams catch this activity before it reaches the credential harvesting or remote access stage.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Targeted Large-Scale Campaign Attacking U.S. Organizations with Fake Event Invitations appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.