Cybersecurity researchers are warning of a new campaign that’s targeting Portuguese-speaking users in Brazil with trial versions of commercial remote monitoring and management (RMM) software since January 2025.
“The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox,” Cisco Talos researcher Guilherme Venere said in a Thursday report.
The attack chains begin with specially crafted spam emails that claim to originate from financial institutions or cell phone carriers, warning of overdue bills or outstanding payments in order to trick users into clicking on bogus Dropbox links that point to a binary installer for the RMM tool.
Two notable RMM tools observed are N-able RMM Remote Access and PDQ Connect, granting attackers the ability to read and write files to the remote file system.
In some cases, the threat actors then use the remote capabilities of these agents to download and install an additional RMM software such as ScreenConnect after the initial compromise.
Based on the common recipients observed, the campaign has been found to mainly target C-level executives and financial and human resources account across several industries, including some educational and government institutions.
It has also been assessed with high confidence that the activity is the work of an initial access broker (IAB) that’s abusing the free trial periods associated with various RMM programs to gain unauthorized access. N-able has since taken steps to disable the affected trial accounts.
“Adversaries’ abuse of commercial RMM tools has steadily increased in recent years,” Venere said. “These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor.”
“They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application.”
The development comes amid the emergence of various phishing campaigns that are engineered to sidestep modern defenses and propagate a wide range of malware families, or collect victims’ credentials –
- A campaign conducted by a South American cybercrime group called Hive0148 to distribute the Grandoreiro banking trojan to users in users in Mexico and Costa Rica.
- A campaign that employs a legitimate file-sharing service named GetShared to bypass security protections and direct users to links hosting malware
- A campaign that uses sales order-themed lures to deliver the Formbook malware by means of a Microsoft Word document that’s susceptible to a years-old flaw in Equation Editor (CVE-2017-11882)
- A campaign that has targeted organizations in Spain, Italy, and Portugal using invoice-related themes to deploy a Java-based remote access trojan named Ratty RAT that can execute remote commands, log keystrokes, capture screenshots, and steal sensitive data
- A campaign that uses a legitimate note-taking application known as Milanote and an adversary-in-the-middle (AitM) phishing kit dubbed Tycoon 2FA to capture users’ credentials under the guise of viewing a “new agreement”
- Campaigns that utilize encoded JavaScript within SVG files, booby-trapped links in PDF attachments, dynamic phishing URLs that are rendered at runtime inside OneDrive-hosted files, and archived MHT payloads within OpenXML structures to direct users to credential harvesting or phishing pages
- Campaigns that abuse Cloudflare’s TryCloudflare tunneling feature to deploy malware like AsyncRAT
“Attackers continuously evolve tactics to bypass modern email and endpoint security solutions, making detecting and mitigating phishing attempts increasingly difficult,” Intezer researcher Yuval Guri noted last month. “And despite advancements in cybersecurity tools, many phishing campaigns still successfully reach users’ inboxes.”
