Ransomware gangs are using employee monitoring software as a springboard for cyber attacks
Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
Hackers are targeting a popular workforce monitoring tool and using it as a basis for ransomware attacks.
Net Monitor for Employees Professional is a staff productivity tracking tool from NetworkLookout, with features including reverse shell connections, remote desktop control, file management, and the ability to customize service and process names during installation.
In late January and early February, Huntress said its Tactical Response team spotted two separate intrusions in which threat actors chained Net Monitor with SimpleHelp in attempted ransomware attacks.
SimpleHelp is a legitimate remote monitoring and management (RMM) platform widely used by IT teams and managed service providers.
"Shared infrastructure, overlapping IOCs, and consistent tradecraft across both cases strongly suggest a single threat actor or group behind this activity," researchers said.
The threat actors used Net Monitor for Employees as a primary remote access channel, with SimpleHelp used as a redundant persistence layer. This allowed them to blend in with normal traffic, ultimately leading to the attempted – but on these occasions unsuccessful – deployment of Crazy ransomware.
"Threat actors leveraged this capability for hands-on-keyboard reconnaissance, additional tooling delivery, and deploying secondary remote access channels, effectively turning an employee monitoring tool into a fully functional RAT (remote access trojan)," said the team.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
In the first case, it's not clear how the attackers gained initial access, but they went on to start trawling around user accounts and attempting to change passwords and create new user accounts. Huntress spotted Net Monitor for Employees' terminal pulling down a file via PowerShell that turned out to be SimpleHelp.
Luckily, attempts to tamper with Windows Defender and deploy multiple versions of Crazy ransomware failed.
In the second case, a threat actor leveraged a compromised vendor's SSL VPN account to gain initial access, then launching an interactive PowerShell session to begin staging their tooling.
They installed SimpleHelp and configured it to monitor for certain keywords.
"Interestingly enough, the SimpleHelp agent was also configured with keyword-based monitoring triggers via GlobalEvents, revealing the threat actor's financial motivation," said the team.
These included wallet services (metamask, exodus, wallet, blockchain), exchanges (binance, bybit, kucoin, bitrue, poloniex, bc.game, noones), blockchain explorers (etherscan, bscscan), and the payment platform payoneer.
How enterprises can shore up defenses
Huntress recommends the use of multi-factor authentication (MFA) on all remote access services, administrative accounts, and external-facing applications and adopting the principle of least privilege.
Networks should be logically separated to prevent lateral movement and all external-facing applications and devices - especially VPN and RDP gateways - should be patched immediately and monitored for anomalous login attempts.
Similarly, third-party software should be regularly audited, with user permissions limited. Elsewhere, Huntress said enterprises should be monitoring for unusual process execution chains and configure alerts for any attempts to modify or disable security software.
Huntress warned these cases highlight a growing trend of threat actors leveraging legitimate, commercially available software to blend into enterprise environments.
"Net Monitor for Employees Professional, while marketed as a workforce monitoring tool, provides capabilities that rival traditional remote access trojans: reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms," they wrote.
"When paired with SimpleHelp as a secondary access channel, complete with keyword-based monitoring triggers targeting cryptocurrency activity, the result is a resilient, dual-tool foothold that is difficult to distinguish from legitimate administrative software."
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
AWS hits back at EU cloud 'gatekeeper' designation hintsNews Gatekeeper designation under the legislation would force AWS and Microsoft to make concessions
-
Is the Top500 meaningless? Not so, says US national laboratory CTOIn-depth LINPACK may measure only one process, but there are real and meaningful use cases for exascale systems
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
