Brazil Under Siege: Hackers Exploit Legitimate RMM Tools in Sophisticated Phishing Campaign

Cybercriminals Weaponize Remote Access Software in a New Wave of Attacks Targeting Brazilian Organizations

A new and highly strategic cyber threat is sweeping across Brazil, and it’s not your usual phishing attack. Since January 2025, a campaign meticulously designed to exploit legitimate remote monitoring and management (RMM) software has taken aim at enterprises across the country. What makes this campaign stand out is its smart use of tools that many organizations already trust—PDQ Connect and N-able Remote Access—turning them into covert channels of compromise.

Cisco Talos researchers have uncovered that attackers are sending convincing emails in Portuguese, posing as overdue bills, tax documents, or bank invoices. These emails contain links that lead to malicious installers hosted on Dropbox, which upon execution, install legitimate RMM agents. These agents offer attackers deep administrative access into victims’ systems, from remote command execution to keylogging and file exfiltration—all under the radar.

What’s particularly alarming is the clever abuse of free trial periods offered by RMM vendors, allowing cybercriminals up to 15 days of full control with no cost. The targets? C-level executives and key departments like finance and HR, especially in government, education, and corporate environments. These threat actors, likely functioning as initial access brokers, aim to sell access to compromised systems to larger cybercrime operations, including ransomware groups.

The campaign is stealthy and technically challenging to detect due to its use of legitimate infrastructure, HTTPS encryption, and commercially signed software, blending seamlessly into enterprise networks.

Inside the Attack: How

Campaign Origins: Traced back to at least January 2025, originating with sophisticated phishing emails in Brazilian Portuguese.
Masquerading as Legitimate: Emails appear as NF-e tax invoices, telecom bills, or financial statements, tricking users into downloading malware.
Payload Distribution: Links in emails lead to Dropbox-hosted RMM installers with deceptive filenames like AGENT_NFe_<random>.exe.
Legitimate Tools, Malicious Use: PDQ Connect and N-able Remote Access, both real RMM tools, are used to gain access.
Trial Abuse: Hackers exploit the tools’ free trial periods for up to 15 days of covert remote access.
Powerful Capabilities: Once installed, attackers can execute commands, monitor users, manipulate files, and more.
Targeted Departments: C-level executives, finance, HR, government, and education sectors are the main targets.
Tactics and Infrastructure: Use of Gmail/ProtonMail for registering trial accounts and spoofed finance-related usernames.
Persistence and Escalation: Some infections lie dormant before escalating to removing security tools or installing new RMM agents.
Detection Difficulties: Signed software and HTTPS traffic mimic legitimate enterprise activity, complicating detection.
Infrastructure Complexity: Attackers use domains tied to real N-able services, muddying attribution and detection.
Post-Infection Activities: Indications point to compromised personal emails used to register new accounts, ensuring continued access.
Indicators of Compromise (IOCs): Several malicious domains and file hashes have been identified.
Security Recommendations: Organizations urged to strengthen RMM monitoring and deploy solutions like Cisco Secure Endpoint, Stealthwatch, and open-source Snort and ClamAV.
Expert Concerns: Given the cost-efficiency and stealth of RMM abuse, more campaigns are expected globally.

What Undercode Say:

The sophistication of this campaign marks a significant shift in how cybercriminals operate—by subverting trust. Rather than creating or deploying new malware from scratch, these attackers are taking advantage of tools that are already widely accepted in corporate IT environments. PDQ Connect and N-able Remote Access, while invaluable for legitimate system management, become high-risk entry points when weaponized under false pretenses.

Abusing trial access is a brilliant move by the threat actors. It eliminates the need for cracked software or stolen licenses while ensuring full functionality. The use of legitimate infrastructure also makes detection exceptionally difficult for traditional security tools. Since these RMM tools use HTTPS connections and cloud services like AWS, security analysts must now look deeper into behavioral anomalies rather than relying on signature-based detection alone.

This campaign isn’t just about initial compromise—it’s about long-term persistence and silent access. The idea of leaving an endpoint dormant for days before taking action reflects a patient and strategic mindset, likely aligned with IAB (Initial Access Broker) goals. These brokers specialize in breaching systems, maintaining covert access, and then selling that access to higher-level threat actors, such as ransomware gangs or data exfiltration specialists.

One key concern is the targeting of financial and administrative departments. If attackers gain access to systems handling payroll, accounts payable, or internal communications, they can redirect funds, harvest sensitive credentials, or impersonate executives. This has a cascading effect that could cripple an organization financially and reputationally.

From an infrastructure standpoint, the attackers’ clever use of Dropbox and N-able domains makes attribution harder and evasion easier. These tactics challenge existing firewall and endpoint defenses, requiring security teams to pivot toward anomaly detection and endpoint behavioral analytics. Furthermore, this tactic reveals a growing trend in the “living off the land” approach, where attackers use tools already present in environments to minimize their digital footprint.

The psychological dimension

In terms of mitigation, organizations must urgently review their RMM usage policies. Any unsanctioned remote tool—especially those under free trial licenses—should be flagged immediately. Authentication, logging, and real-time alerting must be enforced for RMM-related actions. It’s also vital to restrict outbound traffic to known cloud RMM services unless explicitly approved.

Ultimately, this campaign is a wake-up call. It showcases how legitimate IT tools,