A phishing campaign tracked as STAC6405 uses event invitation lures to trick users into installing pre-configured legitimate RMM tools like LogMeIn Resolve and ScreenConnect. Once initial access is established, attackers deploy secondary payloads including HeartCrypt-packed infostealers and additional remote access tools, utilizing utilities to hide their activity from the user.