Listen to this Post
Cybersecurity researchers have uncovered a new, highly targeted phishing campaign thatâs actively preying on Portuguese-speaking professionals in Brazil. Since January 2025, attackers have been leveraging the widespread familiarity with Brazilâs electronic invoicing system (NF-e) to distribute commercial Remote Monitoring and Management (RMM) toolsâoriginally designed for legitimate IT useâas stealthy malware loaders.
This campaign, discovered and analyzed by Cisco Talos, is particularly insidious: rather than relying on homegrown malware, it uses free trial versions of trusted RMM software such as N-able RMM, PDQ Connect, and ScreenConnect. These tools are typically digitally signed and well-established in IT ecosystems, making them more likely to evade detection by antivirus or endpoint protection platforms. By manipulating these legitimate tools, attackers gain backdoor access into corporate networks, targeting C-suite executives and finance or HR personnel across industriesâincluding education and government.
the Threat in ~
Start of Campaign: Began in January 2025.
Target Demographic: Portuguese-speaking users in Brazil, especially corporate executives and financial departments.
Attack Vector: Phishing emails claiming to be from banks or telecom providers.
Lure Used: Fake warnings about overdue payments with links mimicking Brazilian NF-e invoices.
Payload Delivery: Dropbox links leading to trial installers of commercial RMM software.
Primary Tools Abused: N-able RMM Remote Access, PDQ Connect, later followed by ScreenConnect.
Capabilities Gained: Read/write access to remote systems, install additional payloads.
Adversary Profile: Likely an Initial Access Broker (IAB) abusing RMM trial versions.
Purpose: Selling access or preparing systems for follow-up ransomware, spyware, or data theft.
Stealth Tactics: Signed software appears legitimate, reducing the chance of detection.
Corporate Victims: Includes sectors like education, government, finance.
Detection Challenges: High, due to use of commercial tools and trusted file-sharing platforms.
Preventive Measures: N-able has disabled some abused trial accounts.
Wider Trend: Part of a broader pattern of attackers misusing commercial tools.
Related Threats:
Hive0148 using Grandoreiro in Latin America.
GetShared and Milanote misused in phishing operations.
Formbook spread through old Microsoft Word vulnerabilities.
Java-based Ratty RAT attacks in southern Europe.
SVG/JS hybrid phishing, OneDrive-based credential harvesting, and more.
Tactics Employed:
Exploiting old CVEs.
Using dynamic phishing URLs.
Leveraging legitimate cloud services like Cloudflare tunnels.
Industry Response: Awareness campaigns, trial restrictions, and improved filtering needed.
Real-World Impact: Increased infiltration of corporate networks with minimal effort or cost.
What Undercode Say:
The rise of RMM abuse in phishing attacks marks a shift in cybercriminal strategies from amateur malware distribution to sophisticated abuse of trusted enterprise software. Here’s a breakdown of what this means:
Weaponizing Trust: Tools like N-able and PDQ are legitimate and digitally signed, which makes them extremely effective as initial access vectors. The attackers don’t need to write malware from scratch; instead, they exploit trust.
Initial Access Brokers Are Scaling: These brokers thrive on fast, cheap infiltration. By abusing free trials, they circumvent licensing costs and infrastructure hurdles, selling access to more capable threat actors down the line.
Brazil’s Regulatory Weakness Is a Vector: The NF-e system, while beneficial for transparency, has become a lure for phishing campaigns. Attackers exploit the average userâs familiarity and compliance habits to encourage clicks.
Cloud Infrastructure as a Weapon: Dropbox, GetShared, OneDrive, and even Cloudflare tunnels are being hijacked for malicious use. These services are hard to block due to their wide adoption in enterprise workflows.
Multi-Stage Infection Chains: Initial infections now act as beachheads. Once inside, attackers escalate by dropping secondary payloads or deploying RATs like Ratty RAT, expanding control.
Geopolitical Patterns: The prevalence of Latin American campaigns suggests organized, region-specific threat actors. Groups like Hive0148 are strategically targeting vulnerable nations with lower cybersecurity budgets and higher digital penetration.
Endpoint Detection Evasion: Digitally signed RMM tools can often bypass antivirus and endpoint protection because they’re “clean” by default. Traditional malware signatures or heuristic scans wonât catch these.
Hybrid Campaigns: The blending of phishing with document exploits (e.g., CVE-2017-11882) and cloud delivery means defenders need layered protectionsânot just good email filtering.
Crisis in Human Resource Security: Targeting HR and finance departments is strategic. These employees handle sensitive data and may be less trained in spotting sophisticated phishing attempts compared to IT staff.
Recommendations:
Endpoint detection must adapt to detect misuse of legitimate tools.
Security awareness training should include threats posed by “trusted” software.
Companies should monitor for unauthorized RMM installations on internal devices.
Free trial signups from corporate networks should be audited and restricted.
Deep packet inspection and behavioral analysis should be enabled where possible.
The broader message? Cybercriminals are no longer just code writersâtheyâre skilled social engineers and IT strategists. Security must evolve from blocking malware to understanding behavior, trust signals, and internal policy weaknesses.
Fact Checker Results:
Accuracy: The use of trial versions of RMM tools in phishing campaigns has been confirmed by Cisco Talos.
Attribution: There is strong evidence pointing to Initial Access Brokers, particularly due to the monetization patterns observed.
Threat Scope: Consistent with global uptick in the abuse of cloud and commercial IT tools for malicious purposes.
Prediction:
As abuse of RMM software grows, expect to see security vendors implement stricter verification and access controls for trial accounts. Detection tools will need to incorporate behavioral analytics that flag unusual remote access activity, even from signed applications. Meanwhile, Initial Access Brokers will continue exploring untapped global markets where language-specific phishing and regulatory gaps make infiltration easierâLatin America, Southeast Asia, and parts of Eastern Europe are next in line.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
