Ransomware Gangs Turn to Employee Monitoring Software in Sophisticated New Attacks

Hackers are now leveraging legitimate tools like Kickidler to deepen their intrusions, harvest credentials, and stealthily breach backups.

As cybercrime evolves, so too do the tools and tactics used by malicious actors. In a disturbing new trend, ransomware operators have begun deploying Kickidler, a legitimate employee monitoring tool, to conduct reconnaissance and exfiltrate credentials in post-compromise environments. Observed by security firms Varonis and Synacktiv, ransomware groups like Qilin and Hunters International have integrated this method into campaigns that start with deceptive Google Ads and end with the encryption of critical enterprise infrastructure.

Unlike traditional malware, Kickidler offers cybercriminals a stealthy, low-risk way to monitor victims’ activity and harvest credentials. Originally intended for productivity tracking in workplaces, the software is being abused to help attackers sidestep more detectable data-exfiltration tactics. This strategic shift is a stark reminder that legitimate tools can become powerful weapons in the wrong hands.

Inside the Ransomware Reconnaissance Campaign: 30-Line Digest

Cybersecurity firms Varonis and Synacktiv have uncovered a campaign where ransomware actors use Kickidler, an employee monitoring tool, as part of a broader attack strategy.
These attacks involve Qilin and Hunters International—two ransomware groups known for targeting high-value systems.
Kickidler, although legitimate, provides attackers with screen recording, keylogging, and credential-capturing capabilities without setting off traditional malware alarms.
The attacks typically begin with malicious Google Ads, which lure users into downloading a trojanized version of RVTools, a VMware management tool.
Clicking the ad directs victims to a fake site (rv-tool[.]net), where the infected installer downloads the SMOKEDHAM backdoor.
SMOKEDHAM then deploys Kickidler to monitor and extract sensitive administrator credentials.
Administrators’ machines are the primary targets, as their credentials often grant wide access across an organization’s network.
The hackers reportedly maintained access for days or even weeks, silently collecting data to gain entry into cloud-based backup systems.
These tactics bypass increasingly common security controls like decoupled backup authentication, which prevent credential reuse.
Instead of using memory dumps or detectable scripts, Kickidler captures keystrokes and web activity, ensuring a low profile.
Once reconnaissance is complete, the attackers resume malicious activity and deploy ransomware payloads across virtual environments.
Using VMware PowerCLI and WinSCP automation, Hunters International activated SSH on ESXi servers and triggered ransomware execution.
These actions led to the encryption of VMDK virtual disks, causing significant operational disruptions.
The use of Kickidler signals a shift from brute-force techniques to subtle, persistent surveillance.
Cybercriminals have long used legitimate RMM tools, but Kickidler’s use indicates an escalation in tool sophistication.
Agencies like CISA, NSA, and MS-ISAC previously warned about abuse of remote tools like SimpleHelp to plant backdoors.
Several federal civilian executive branch networks were compromised through similar tactics.
Attackers often disguise remote tools as portable apps, evading administrative privilege checks.
SimpleHelp has been exploited to create admin accounts and stage Akira ransomware deployments.
Experts stress the need for organizations to audit installed remote access software regularly.
Use of application whitelisting and strict execution policies for remote tools is essential.
Security teams should ensure only approved tools like VPN or VDI are used for remote access.
Blocking standard RMM ports when not in use can limit potential attack surfaces.
Kickidler’s global presence (used by over 5,000 organizations in 60 countries) makes its misuse even more alarming.
Cybersecurity professionals must now consider monitoring tools as potential insider threats.
MITRE ATT\&CK analysis reveals that 10 key techniques account for 93% of all attacks, highlighting the need for targeted defense strategies.
The battlefront is no longer limited to malware—weaponized legitimate software is the new threat vector.
Enterprises must combine user behavior analytics, endpoint monitoring, and threat intelligence for a layered defense.

What Undercode Say: Strategic Weaponization of Trustworthy Tools

The exploitation of Kickidler in ransomware campaigns represents a new chapter in cyberattack strategy. While Remote Monitoring and Management (RMM) tools have long been misused by threat actors, Kickidler’s misuse introduces a far more calculated threat vector. Unlike traditional RMM software that offers immediate remote access, Kickidler operates quietly in the background—recording, logging, and analyzing.

From an attacker’s standpoint, this is a goldmine. The software enables them to watch, wait, and gather credentials with near-zero footprint. There’s no need to perform memory scraping or use advanced password dumpers—techniques that usually trigger security alerts. Instead, attackers simply observe administrators entering passwords, especially those for off-site cloud backups.

This tactic is particularly dangerous in environments where backup authentication has been decoupled from domain credentials. While this is a smart defensive move, attackers are now adapting by going after human behavior instead of system weaknesses. They patiently log every keystroke and URL visited, constructing a map of the organization’s recovery infrastructure.

Once they’re armed with sufficient knowledge and access, they shift to the destructive phase: deploying ransomware across VMware ESXi servers. Leveraging tools like VMware PowerCLI, they automate the entire encryption process. In the attack’s final act, the organization’s most vital assets—its virtual machines—are locked behind paywalls.

This campaign highlights a troubling shift in attack methodology. Ransomware actors no longer rely solely on brute-force intrusion or phishing. They now conduct reconnaissance like espionage agents, taking their time to infiltrate deep into the organization’s core systems.

Moreover, the use of malicious Google Ads shows their increasing reliance on social engineering and ad networks. Search engine poisoning allows them to intercept users seeking common IT tools like RVTools, making even routine software downloads potentially hazardous.

The integration of Kickidler also challenges assumptions about “safe” software. Security teams often whitelist employee monitoring tools, assuming they’re benign. But this case proves that anything with the ability to record or transmit data can be turned against you.

For defenders, this is a wake-up call. Monitoring solutions need to be as heavily scrutinized as RMM tools. Behavioral analytics should flag unusual deployment of tools like Kickidler, especially in environments where such software is not commonly used.

In essence, we’re seeing the weaponization of trust. The very tools designed to secure or monitor business activity are now being deployed as covert surveillance by malicious actors. Defenders must evolve—rapidly—before this method becomes standard practice across the ransomware ecosystem.

Fact Checker Results

Kickidler is indeed a legitimate employee monitoring tool with over 5,000 clients globally.
Varonis and Synacktiv have publicly reported its use in ransomware operations.
CISA and other federal bodies have long warned of RMM abuse, confirming the broader trend.

Prediction

With the success of these stealthy, software-based reconnaissance tactics, ransomware groups will likely escalate their use of legitimate enterprise tools in future campaigns. Expect more supply chain infiltration, increased abuse of advertising platforms, and expanded attacks against backup and virtualization systems. Organizations must pivot from reactive defenses to proactive behavioral monitoring and tight software access controls—or risk becoming the next silent victim.