Cybersecurity researchers have uncovered a phishing campaign aimed at Portuguese-speaking users in Brazil, which exploits trial versions of commercial remote monitoring and management (RMM) tools to gain unauthorized access to corporate systems, reports The Hacker News.
The campaign, which has been active since January 2025, uses spoofed emails mimicking financial institutions or telecom providers and leverages Brazils electronic invoice system (NF-e) as a lure. The messages direct recipients to Dropbox-hosted links containing RMM installers such as N-able RMM Remote Access and PDQ Connect. Once the RMM software is installed, attackers use its capabilities to manipulate remote systems, often deploying additional tools like ScreenConnect. The campaign primarily targets C-level executives and finance or human resources personnel across sectors, including education and government. Researchers believe the activity is linked to an initial access broker exploiting free trial versions to reduce operational costs and avoid detection. N-able has since deactivated impacted trial accounts. The findings come amid a broader rise in phishing campaigns that bypass modern security defenses using varied methods such as legitimate platforms, exploit-laden documents, and sophisticated credential harvesting kits.
The campaign, which has been active since January 2025, uses spoofed emails mimicking financial institutions or telecom providers and leverages Brazils electronic invoice system (NF-e) as a lure. The messages direct recipients to Dropbox-hosted links containing RMM installers such as N-able RMM Remote Access and PDQ Connect. Once the RMM software is installed, attackers use its capabilities to manipulate remote systems, often deploying additional tools like ScreenConnect. The campaign primarily targets C-level executives and finance or human resources personnel across sectors, including education and government. Researchers believe the activity is linked to an initial access broker exploiting free trial versions to reduce operational costs and avoid detection. N-able has since deactivated impacted trial accounts. The findings come amid a broader rise in phishing campaigns that bypass modern security defenses using varied methods such as legitimate platforms, exploit-laden documents, and sophisticated credential harvesting kits.
