Cybersecurity researchers have been using trial versions of commercial remote monitoring and management (RMM) software since January 2025 to warn of a new campaign targeting Portuguese-speaking users in Brazil.
“Spam messages are used using NF-E, a Brazilian electronic invoice system, as a lure to tempt users to click on hyperlinks and access malicious content hosted on Dropbox,” Cisco Talos researcher Guilherme Venere said in a report Thursday.
The attack chain starts with a specially created spam email, late invoices or unpaid payment warning that claims to occur from a financial institution or mobile phone carrier to click on the Bogus Dropbox link, which refers to the RMM tool’s binary installer.
Two notable RMM tools observed are N-Able RMM remote access and PDQ connection. Allows an attacker to be able to read and write files to and from the remote file system.
In some cases, threat actors use the remote capabilities of these agents to download and install additional RMM software, such as ScreenConnect, after the initial compromise.
Based on the general recipients observed, the campaign has been found to target primarily C-level executives and financial and human resources accounts in several industries, including some educational and government agencies.
The activity is also confidently evaluated as the work of an early access broker (IAB) who is abusing free trial periods associated with various RMM programs to gain unauthorized access. N-Able has since taken steps to disable the affected test accounts.
“In recent years, the abuse of enemy commercial RMM tools has been steadily increasing,” Venere said. “These tools are usually digitally signed by recognized entities and are fully functional backdoors, making them interesting for threat actors.”
“They also cost little or no software or infrastructure, because they are all provided by trial applications.”
This development comes amid the emergence of a variety of phishing campaigns designed to avoid modern defenses, spread a wide range of malware families or gather victim qualifications.
- A campaign run by a South American cybercrime group called HIVE0148 has distributed Grandoreiro Banking Trojan to users of Mexican and Costa Rica users.
- Campaigns employing legitimate file sharing services named GetShared bypass security protections and directly on links where users host malware
- Campaign to distribute Formbook malware using Microsoft Word documents susceptible to years of defects in equation editor using sales order-themed lures (CVE-2017-11882)
- The campaign, which targets organizations in Spain, Italy and Portugal, uses invoice-related themes to deploy a Java-based remote access trojan named Rat Rat, which can run remote commands, record keystrokes, capture screenshots, and steal sensitive data.
- A campaign using a legitimate note-taking application known as Miranote and an enemy (AITM) phishing kit called Tycoon 2FA captures user credentials under the guise of seeing a “new agreement.”
- Campaigns that leverage MHT payloads to archive encoded JavaScript in SVG files, booby trap links in PDF attachments, dynamic phishing URLs that are rendered at runtime in OneDrive-Hosted files, and MHT payloads in OpenXML structures to direct users to qualified harvest or phishing pages
- Campaigns that abuse cloudflare’s trycloudflare tunnel functionality deploy malware like Asyncrat
“It will become increasingly difficult for attackers to continuously evolve their tactics to bypass modern email and endpoint security solutions, detect and mitigate phishing attempts,” Intezer researcher Yuval Guri said last month. “And despite advances in cybersecurity tools, many phishing campaigns are still successful in reaching users’ inboxes.”
