Security experts are warning of a new plan that’s targeting Portuguese-speaking people in Brazil with trial types of industrial remote monitoring and control ( RMM) technology since January 2025.
” The email message uses the Portuguese electronic billing system, NF-e, as a trap to lure users into clicking hyperlinks and accessing malicious content hosted in Dropbox,” Cisco Talos scientist Guilherme Venere in a Thursday statement.
The attack stores begin with specially crafted spam emails that claim to emerge from financial institutions or cell phone carriers, warning of overdue bills or outstanding payments in order to trick users into clicking on false Dropbox links that point to a binary software for the RMM tool.
Two notable RMM tools observed are and , granting attackers the ability to read and write files to the remote file system.
In some cases, the threat actors then use the remote capabilities of these agents to download and install an additional RMM software such as ScreenConnect after the initial compromise.
Based on the common recipients observed, the campaign has been found to mainly target C-level executives and financial and human resources account across several industries, including some educational and government institutions.
It has also been assessed with high confidence that the activity is the work of an initial access broker ( IAB) that’s abusing the free trial periods associated with various RMM programs to gain unauthorized access. N-able has since taken steps to disable the affected trial accounts.
” Adversaries ‘ abuse of commercial RMM tools has steadily increased in recent years,” Venere said. ” These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor. “
” They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application. “
The development comes amid the emergence of various phishing campaigns that are engineered to sidestep modern defenses and propagate a wide range of malware families, or collect victims ‘ credentials-
- A campaign conducted by a South American cybercrime group called to distribute the banking trojan to users in users in Mexico and Costa Rica.
- A campaign that employs a legitimate file-sharing service named to bypass security protections and direct users to links hosting malware
- A campaign that uses to deliver the malware by means of a Microsoft Word document that’s susceptible to a years-old flaw in Equation Editor ( )
- A campaign that has targeted organizations in Spain, Italy, and Portugal using invoice-related themes to deploy a Java-based remote access trojan named that can execute remote commands, log keystrokes, capture screenshots, and steal sensitive data
- A campaign that a legitimate note-taking application known as Milanote and an adversary-in-the-middle ( AitM ) phishing kit dubbed to capture users ‘ credentials under the guise of viewing a “new agreement”
- Campaigns that encoded JavaScript within SVG files, booby-trapped links in PDF attachments, dynamic phishing URLs that are rendered at runtime inside OneDrive-hosted files, and archived MHT payloads within OpenXML structures to direct users to credential harvesting or phishing pages
- Campaigns that abuse Cloudflare’s to deploy malware like
” Attackers continuously evolve tactics to bypass modern email and endpoint security solutions, making detecting and mitigating phishing attempts increasingly difficult,” Intezer researcher Yuval Guri noted last month. ” And despite advancements in cybersecurity tools, many phishing campaigns still successfully reach users ‘ inboxes. “