EXECUTIVE SUMMARY:
A phishing campaign has been identified targeting organizations in Brazil through convincing business-document and fiscal-themed lures. Rather than relying on traditional malware, the operation abuses legitimate remote management software to gain access to victim systems. The attack leverages common business workflows, including invoices, procurement records, tax documents, and other administrative files, making the malicious activity appear routine and increasing the likelihood of user interaction.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A phishing campaign has been identified targeting organizations in Brazil through convincing business-document and fiscal-themed lures. Rather than relying on traditional malware, the operation abuses legitimate remote management software to gain access to victim systems. The attack leverages common business workflows, including invoices, procurement records, tax documents, and other administrative files, making the malicious activity appear routine and increasing the likelihood of user interaction.[emaillocker id="1283"]
The attack chain began with phishing emails containing links routed through trusted third-party redirection services before directing victims to Portuguese-language phishing pages. These sites impersonated well-known business and government-related services and presented users with a fake verification process. Once completed, victims were prompted to download what appeared to be a protected document. Instead, the download delivered a legitimate NinjaOne Remote Monitoring and Management (RMM) agent configured to establish remote access to attacker-controlled infrastructure. The campaign incorporated geofencing, browser fingerprinting, sandbox detection, anti-bot controls, and user-interaction validation mechanisms to limit exposure and evade security analysis. By abusing trusted enterprise software rather than deploying custom malware, the operators were able to blend malicious activity with normal business operations.
This activity reveals a growing trend in which threat actors leverage legitimate administrative tools and routine business workflows to achieve initial access and persistence. The use of trusted remote management software significantly reduces suspicion while providing attackers with effective remote-control capabilities. Organizations should strengthen phishing defenses, closely monitor the deployment of remote administration tools, and validate unexpected document-download requests to reduce the risk posed by similar abuse chains.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Reconnaissance | T1590.005 | Gather Victim Network Information | IP Addresses |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| T1497.002 | User Activity Based Checks | ||
| T1027.010 | Obfuscated Files or Information | Command Obfuscation | |
| T1070.004 | Indicator Removal | File Deletion | |
| Command and Control | T1105 | Ingress Tool Transfer | - |
| T1219.002 | Remote Access Tools | Remote Desktop Software |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-abuse-legitimate-ninjaone-rmm-software/
https://www.catonetworks.com/blog/cato-ctrl-previously-undocumented-ninjaone-rmm-abuse-chain/
[/emaillocker]