goto

GoTo Resolve threat campaign disrupted by SpearTip-managed SOC

Cybersecurity Services by SpearTipNews

Share this

Threat actors trick users by using trusted application names

Cyber criminals masquerade using remote access tools such as Zoom, Chrome, and Adobe, continuing to refine their delivery techniques byleveraging trusted application names thattrick users into installing remote access software under false pretenses.Recent campaigns have weaponized legitimate remote access tools such as GoTo Resolve Unattended and ScreenConnect, disguising them as business-critical updates or software installers.

Common deceptive filenames observed by SpearTip’s threat intelligence team include:

  • ZoomWorkspace.ClientSetup.exe
  • ChromeUpdate.exe
  • Adobeupdate1.exe

Each of these lures mimicked legitimate software, but instead deployed a fully functional, unattended remote-access agent, granting attackers silent persistence and long-term control of victim endpoints.

In the latest incident, SpearTip’s 24/7 Managed Security Operations Center (SOC) detected and contained malicious activity tied to a fake Adobe updater (Adobeupdate1.exe) that silently installed GoTo Resolve Unattended components under Program Files (x86) and registered itself in Control Panel.

Once executed, the installer created Windows services for persistence, added registry keys for auto-start, and began encrypted outbound communications to GoTo Resolve’s remote command infrastructure.

Within minutes of detection, SpearTip analysts performed a comprehensive investigation, identified all related components, and initiated full remediation actions, including:

Termination of active GoTo Resolve-related processes and services
  • Removal of residual installation directories and configuration files
  • Cleansing of persistence and uninstall registry entries
  • Secure quarantine of the malicious installer for threat analysis

    • Following remediation, SpearTip confirmed no remaining GoTo Resolve artifacts, services, or active connections, restoring the system to a verified clean state.

    This campaign highlights an ongoing trendadversaries use weaponizing legitimate IT support tools to blend in with trusted activity and bypass security controls. Without advanced behavioral detection and human-led analysis, these attacks can easily go unnoticed.

    The SpearTip Managed SOC combines continuous 24/7 monitoring, real-time behavioral analytics, and expert analyst intervention to detect, isolate, and eradicate sophisticated remote-access intrusions before they escalate.

    Our proactive threathunting and rapid containment capabilities ensure that even legitimate tools used with malicious intent are identified and neutralized before impact.

    If your organization relies solely on automated alerts, you may already be compromised.With SpearTip, you gain human-led response, proven precision, and immediate action, when minutes matter most.

    Technical Appendix

    File Details:

    • Filename: Adobeupdate1.exe
    • SHA1: 538a3e9af448821b7ba64de722dd296dc06bb27b
    • File Type: Windows PE (GoTo Resolve Unattended Installer)
    • Installed Components:
      • C:\Program Files (x86)\GoTo Resolve Unattended\308090205891604242\
        • GoToResolveUnattended.exe
        • GoToResolveCrashHandler.exe
        • GoToResolveServiceManager.exe
        • GoToResolveUpdate.exe

    Persistence Mechanisms:

    • Service installed:
      • Name: GoToResolve_308090205891604242
      • Executable Path: C:\Program Files (x86)\GoTo Resolve Unattended\308090205891604242\GoToResolveServiceManager.exe
    • Registry entries:
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoTo Resolve Unattended 308090205891604242
      • HKLM\SYSTEM\CurrentControlSet\Services\GoToResolveUnattendedService

    Network Indicators:

    • Outbound communications to:
      • devices-iot.console.gotoresolve.com
      • dumpster.console.gotoresolve.com
      • agent.console.gotoresolve.com
    • Behavior:
      • Periodic beaconing for remote session registration and agent updates.
      • SSL-encrypted command polling and remote session negotiation.

    Execution Behavior:

    • When run, the installer drops components under the GoTo Resolve Unattended directory.
    • Registers and starts the Windows service for unattended access.
    • Adds itself to the uninstall registry for Control Panel visibility.
    • Establishes encrypted HTTPS connections to GoTo Resolve’s remote infrastructure for agent enrollment and command retrieval.

     
    At SpearTip, we strive to be your trusted ally in safeguarding critical operations. Our hands-on and proactive approach means clients never leaves a client as just another ticket or number. We directly approach the issues you may be facing, the issues you’ll face in the future, and the issues we can’t see yet.

    Our 24/7/265 Managed Security Operations Center provides a lens into your digital environment with the single purpose of protecting your organizational reputation, operations and bottom line.

    Our technical cyber security expertise, wide range of services and risk management expertise insights help customers identify and understand their exposure and take action to reduce risk. And we’re here for you with personal service whenever you need us. We use AI to ensure the high quality and efficiency of our services, but you’ll always have the option to speak with a real person when it matters most. 

    Ready to learn more? Contact us today to see how we can help your organization strengthen its cyber defenses and operational resilience.