Legitimate Remote Tools Weaponized in Sophisticated Spam Campaign

In a newly published threat report, Cisco Talos has revealed an ongoing spam campaign targeting Portuguese-speaking users in Brazil, aiming to install legitimate—but abused—remote monitoring and management (RMM) tools like N-able Remote Access and PDQ Connect. These tools, originally designed for IT support, are now being weaponized to grant attackers full access to infected machines.

The infection chain begins with convincing phishing emails masquerading as overdue bills or electronic payment receipts (NF-e) from banks and telecom providers. Victims are lured into downloading malicious .exe installers from Dropbox links, with filenames such as:

• AGENT_NFe_<random>.exe
• NOTA_FISCAL_NFe_<random>.exe
• Boleto_NFe_<random>.exe

These executables are designed to appear legitimate, but actually deploy powerful RMM tools upon execution.

The campaign primarily targets C-level executives and financial or HR personnel across a range of sectors—including education and government. This strategic targeting hints at the work of initial access brokers (IABs), whose goal is to breach organizations and sell access to other cybercriminals.

“This is consistent with actions of initial access broker (IAB) groups… who may sell their services to any threat actors, including state-sponsored actors,” Cisco Talos noted.

Once installed, tools like N-able Remote Access provide the threat actor with an extensive feature set:

• Remote desktop and shell access
• Keystroke logging
• File manager to upload/download data
• Screen streaming
• Remote command execution

These features are available even in the trial versions, and Talos confirmed that attackers rely on free trials, often registered using Gmail, Proton Mail, or compromised email accounts.

The RMM traffic blends in with legitimate HTTPS activity, making detection difficult. For example, N-able connects through domains hosted on Amazon Web Services, such as:

• hxxps://upload1[.]am[.]remote[.]management/
• hxxps://upload2[.]am[.]remote[.]management/

“The network traffic these tools create is also disguised as regular traffic… hosted on Amazon Web Services (AWS),” the report explained.

Because the domain structure remains the same for all customers and only user credentials differ, attribution becomes extremely difficult.

With low cost, high capabilities, and strong digital signatures, RMM tools have become a backdoor of convenience. “Talos expects these tools to become even more common in attacks,” the report concluded.

Related Posts:

• PDQ Deploy Vulnerability Exposes Admin Credentials: CERT/CC Issues Advisory
• RMM Tools: The New Weapon of Choice for Cybercriminals
• Apple Forced: Third-Party Apps Coming to Brazilian iOS
• Threat Actors Continue to Exploit Legitimate RMM Tool ScreenConnect

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy