Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Essential information
- Published
- 08/05/2025 15:13
- Modified
- 08/05/2025 18:46
- Tags
- 2025-05-08 dropbox initial access broker n-able nf-e pdq connect rmm screen connect spam
- Related entities
- 26 observables, 9 techniques (mitre), 3 others
Description
A spam campaign targeting Brazilian users, particularly C-level executives and financial/HR accounts, has been identified since January 2025. The campaign exploits commercial remote monitoring and management (RMM) tools, specifically PDQ Connect and N-able remote access tools. Attackers use Brazilian electronic invoice system (NF-e) as bait, leading victims to malicious content on Dropbox. The threat actor, likely an initial access broker, abuses free trial periods of RMM tools to gain complete control of target machines. The campaign's objective is to create a network of compromised machines for potential sale to third parties, including ransomware operators and state-sponsored actors. The abuse of commercial RMM tools is increasing due to their digital signatures, full backdoor capabilities, and low cost.