A sophisticated spam campaign targeting Brazilian organizations has emerged, exploiting legitimate Remote Monitoring and Management (RMM) tools to gain unauthorized access to corporate networks.
Discovered in early 2025, this attack campaign specifically targets Portuguese-speaking users through deceptive emails that trick victims into installing commercial RMM software, effectively granting attackers complete control over compromised systems.
The attackers leverage Brazil’s electronic invoice system (NF-e) as a social engineering lure, crafting convincing spam messages that appear to originate from financial institutions or telecommunications providers regarding overdue payments or electronic receipts.
These malicious communications contain hyperlinks directing victims to Dropbox-hosted files containing installer binaries for legitimate RMM tools.
The filenames consistently incorporate “NFe” references to maintain the illusion of legitimacy, with examples including “NOTA_FISCAL_NFe_.exe” and “Boleto_NFe_.exe.”
Most concerning is the campaign’s strategic targeting approach, which primarily focuses on C-level executives and employees working in financial and human resources departments across multiple industries.
Educational and government institutions have also appeared on the target list, indicating a methodical victim selection process designed to maximize potential financial gain or data access.
Cisco Talos researchers identified that the threat actors are abusing commercial remote monitoring applications including PDQ Connect and N-able Remote Access (formerly associated with SolarWinds).
These applications provide comprehensive remote control capabilities that, while intended for legitimate IT management, become powerful backdoors when deployed by malicious actors.
Analysis of the attack patterns strongly suggests the operation is run by initial access brokers (IABs) – criminal entities specializing in network compromise who subsequently sell that access to other threat actors, including ransomware operators and advanced persistent threat groups.
Evidence indicates the attackers are exploiting the 15-day free trial periods of these RMM solutions, creating multiple trial accounts using disposable email addresses to maintain operational continuity.
Infection Mechanism and Technical Analysis
The infection chain begins when targets receive seemingly legitimate financial notifications containing Dropbox links.
.webp)
Upon clicking these links, victims download what appears to be invoice-related software but actually installs legitimate RMM tools configured with attacker-controlled parameters.
The malicious aspects of this campaign are particularly effective because the deployed software is digitally signed by recognized vendors, helping it bypass standard security controls.
When examining the network traffic generated by these RMM tools, investigators discovered communications disguised as regular business traffic, using HTTPS connections to legitimate domains such as “upload1.am.remote.management” that belong to the RMM provider’s infrastructure.
This complicates detection since the traffic appears legitimate and connects to authorized business services rather than known malicious infrastructure.
Cisco Talos analysts noted that this approach provides attackers with a fully-featured backdoor without requiring custom malware development or costly infrastructure investment.
Once installed, these tools grant complete access to the victim machine, including remote desktop capabilities, command execution, screen monitoring, keystroke logging, and unrestricted file system access.
In essence, attackers gain administrator-level control without triggering traditional malware alerts that would normally identify suspicious code.
The campaign primarily targets Brazil now, but security researchers warn that similar tactics could easily be adapted for other regions, representing an evolving threat that leverages legitimate tools to bypass standard security measures.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
