New Spam Campaign Exploits Remote Monitoring Tools to Target Organizations

A newly detected spam campaign is leveraging legitimate remote monitoring and management (RMM) software, targeting organizations across Brazil since at least January 2025.

Cisco Talos researchers identified that actors are distributing commercial RMM tools-namely PDQ Connect and N-able Remote Access-through sophisticated phishing emails crafted in Portuguese.

These emails masquerade as official electronic invoices (NF-e), financial statements, or overdue bills sent by banks or telecom providers.

The campaign’s ultimate goal is to gain persistent and covert remote access to victim organizations’ systems.

The infection chain begins with a spam email containing links to malicious installers hosted on Dropbox.

The installers, camouflaged with filenames such as “AGENT_NFe_<random>.exe,” “Boleto_NFe_<random>.exe,” or similar, initiate the download and installation of a legitimate RMM agent.

Upon execution, the agent gives the attacker administrative access to the infected endpoint-including remote command execution, screen sharing, keylogging, and full file management capabilities.

Notably, the campaign is crafted to exploit free trial periods of these RMM tools, providing the threat actors with a zero-cost, feature-rich backdoor for up to 15 days.

Targeted Recipients and Threat Actor Profile

Analysis suggests the threat actors, likely operating as initial access brokers (IABs), are targeting C-level executives and accounts within finance, human resources, education, and government sectors.

The attackers register for RMM services using freely available email providers like Gmail and Proton Mail, often employing usernames themed after finance or billing departments.

In some cases, compromised personal email accounts are used to create additional trial registrations.

Talos observed that once trial accounts expire, access is terminated, and actors quickly shift to new accounts to circumvent restrictions.

No evidence points to the use of stolen enterprise credentials-further indicating the abuse of public trial sign-ups rather than credential theft.

Post-Exploitation Behavior and Infrastructure Challenges

While initial infection typically results in dormant access persisting for days, some victims later experience escalation where attackers remove security tools or install additional RMM agents.

These activities align with IAB objectives: building a network of compromised endpoints for eventual resale to ransomware groups or other malicious buyers.

The use of commercially signed RMM software complicates detection, as network traffic generated by these tools closely resembles legitimate enterprise activity, frequently leveraging HTTPS connections to cloud-hosted domains such as Amazon Web Services.

The campaign’s infrastructure includes multiple domains associated with N-able’s legitimate management interface, making attribution and signature-based detection more challenging.

Additionally, configuration files extracted from malicious installers reveal a pattern of finance-related spoofed accounts and evidence of compromised personal emails being abused in the trial registration process.

Organizations are urged to review their current controls and implement detection strategies for unauthorized RMM software usage.

Cisco’s suite of security products-including Secure Endpoint, Email, Firewall, Stealthwatch, Threat Grid, and Duo multifactor authentication-provide layered defense options to detect, block, and remediate such threats.

Open-source solutions like Snort and ClamAV also offer specific signatures for malware associated with this campaign.

Given the ease of access, low cost, and significant capability provided by modern RMM tools, experts anticipate an increase in similar abuse scenarios in future attack campaigns.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates