Cybersecurity researchers have identified a sophisticated campaign targeting Portuguese-speaking users in Brazil, particularly C-level executives and financial and human resources personnel across various industries, including education and government sectors. Since January 2025, this operation has leveraged Brazil’s electronic invoice system, known as Nota Fiscal eletrĂ´nica (NF-e), to distribute trial versions of commercial Remote Monitoring and Management (RMM) software, thereby facilitating unauthorized access to corporate networks.
Attack Methodology
The attack initiates with meticulously crafted phishing emails that appear to originate from reputable financial institutions or telecommunications companies. These emails alert recipients to alleged overdue bills or outstanding payments, compelling them to click on embedded hyperlinks. These links redirect users to malicious content hosted on Dropbox, where they are prompted to download and install binary installers for RMM tools.
Two prominent RMM tools exploited in this campaign are N-able RMM Remote Access and PDQ Connect. Once installed, these tools grant attackers the capability to read and write files on the compromised systems remotely. In certain instances, the adversaries further exploit this access by deploying additional RMM software, such as ScreenConnect, to deepen their infiltration.
Role of Initial Access Brokers
This campaign is attributed to Initial Access Brokers (IABs), cybercriminals who specialize in breaching networks and subsequently selling this unauthorized access to other malicious actors. By abusing the free trial periods associated with various RMM programs, IABs can infiltrate systems without incurring significant costs. N-able has responded by disabling the affected trial accounts to mitigate further exploitation.
Implications and Broader Context
The misuse of legitimate RMM tools by adversaries has been on the rise in recent years. These tools are attractive to threat actors because they are often digitally signed by recognized entities, making them less likely to be flagged by security systems. Additionally, the availability of free trial versions reduces the financial and logistical barriers for cybercriminals.
This development is part of a larger trend involving various phishing campaigns designed to bypass modern defenses and disseminate a wide range of malware families or collect victims’ credentials. For instance, a South American cybercrime group known as Hive0148 has been distributing the Grandoreiro banking trojan to users in Mexico and Costa Rica. Other campaigns have utilized legitimate file-sharing services like GetShared to evade security protections and direct users to malware-hosting links.
Recommendations for Mitigation
To protect against such sophisticated attacks, organizations should implement a multi-layered security approach:
1. Employee Training: Educate staff about recognizing phishing attempts, especially those exploiting familiar systems like NF-e.
2. Email Filtering: Deploy advanced email filtering solutions to detect and block malicious emails before they reach end-users.
3. Access Controls: Limit the use of RMM tools to authorized personnel and monitor their usage closely.
4. Software Management: Regularly update and patch all software to mitigate vulnerabilities that could be exploited by attackers.
5. Incident Response: Develop and regularly test incident response plans to ensure swift action in the event of a security breach.
By adopting these measures, organizations can enhance their resilience against the evolving tactics of cybercriminals and safeguard their critical assets.
