Security researchers have raised alarms over a remote administration tool that can quietly turn into a stealthy entry point for cybercriminals. The program, flagged as HEURRemoteAdmin.GoToResolve.gen, is now classified as a Potentially Unwanted Application (PUA) due to the way it conceals its presence and behavior from end users.
The warning comes from the Lat61 Threat Intelligence Team at Point Wild, a data breach prevention firm that analyzed how this tool can transform a routine IT utility into a serious security liability. According to their report, the application is linked to GoTo Resolve, a legitimate platform formerly known as LogMeIn, widely used by IT support teams for remote access and troubleshooting.
What makes this case particularly concerning is the tool’s ability to install and operate “silently,” maintaining a persistent foothold on the system without any visible prompts or notifications. Researchers found it buried in a directory named C:\Program Files (x86)\GoTo Resolve Unattended\, along with a bundled file called “32000~” that contains hidden instructions for managing the application in the background.
Because it runs unattended, this component effectively creates a new attack surface, similar to leaving a window unlocked for intruders. Threat actors who manage to hijack the tool could exploit its background capabilities to move laterally, gather intelligence, or prepare a larger compromise, all without attracting attention from the user sitting at the keyboard.
The most disturbing link is to ransomware tradecraft through the use of the Windows Restart Manager library, RstrtMgr.dll. This DLL has been abused in past campaigns by high-profile groups like Conti and Cactus ransomware, as well as the BiBi wiper, to terminate processes that might block file encryption or forensic analysis, including antivirus tools and security services.
Even more deceptive is the fact that the software carries a valid digital signature from GoTo Technologies USA, LLC, giving it an appearance of full legitimacy in the eyes of both users and operating systems.
Experts stress that a trusted signature does not guarantee safe behavior and warn organizations to treat this tool as a high-risk component unless explicitly approved and monitored by their security teams, calling its stealthy execution and Restart Manager loading a form of “dangerous pre-positioning” for future, more destructive attacks.