{"id":15793,"date":"2026-02-13T02:25:19","date_gmt":"2026-02-13T02:25:19","guid":{"rendered":"https:\/\/newestek.com\/?p=15793"},"modified":"2026-02-13T02:25:19","modified_gmt":"2026-02-13T02:25:19","slug":"hackers-turn-bossware-against-the-bosses","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15793","title":{"rendered":"Hackers turn bossware against the bosses"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A threat actor is abusing an employee monitoring application and a remote monitoring and management platform in an attempt to deploy ransomware and steal cryptocurrency.<\/p>\n

According to researchers at Huntress<\/a>, the unknown threat actor is leveraging NetworkLookout\u2019s Net Monitor for Employees Professional \u2013 which, despite its name, includes remote access tools \u2013 and SimpleHelp, a suite of tools\u00a0commonly used by IT teams and managed service providers for remote monitoring and management.<\/p>\n

These applications might already be in use in an IT environment, or are downloaded by the attacker once they get network access.<\/p>\n

In one case, the attack chain culminated in an attempted deployment of Crazy ransomware. In another, the combination of applications was used to hunt for cryptocurrency-related keywords on the victim\u2019s compromised computer.<\/p>\n

The combination of these two applications is unique, says Huntress, although SimpleHelp has a history of being abused by hackers as a post-exploitation persistence mechanism. It offers a lightweight agent, support for gateway redundancy, and ability to operate over common ports. Net Monitor for Employees, whose purpose is to catch employees wasting work time on illegal activity, is used here as a primary remote access channel. To a threat actor, it offers reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms.<\/p>\n

Anna Pham<\/a>, a Huntress senior tactical response analyst, called the combination of the two applications for attacks \u201cdangerous,\u201d particularly because in one case the threat actor got access to the victim\u2019s IT infrastructure through a vendor\u2019s compromised VPN account.<\/p>\n

Using applications and tools already on the network that might appear legitimate to IT to disguise attacks, also known as a \u2018living off the land\u2019 strategy, is \u201cvery clever and sneaky,\u201d she added.<\/p>\n

Two attacks discovered<\/h2>\n

Huntress discovered two incidents using this tactic, one late in January and one early this month. Shared infrastructure, overlapping indicators of compromise, and consistent tradecraft across both cases make Huntress strongly believe a single threat actor or group was behind this activity.<\/p>\n

In the first case, Huntress detected suspicious account manipulation on a customer\u2019s computer via Net Monitor For Employees, which included attempts to reset passwords and create additional accounts. The application was already in use in the environment.<\/p>\n

How the attacker got into Net Monitor isn\u2019t clear. But their next step was to use it to download the SimpleHelp remote management agent, which was used to execute a number of commands, including tampering with Windows Defender to evade detection. That was unsuccessful, but it didn\u2019t stop the threat actor from then trying to deploy the Crazy strain of ransomware.<\/p>\n

In the second case, also involving a Huntress customer, the threat actor leveraged a compromised vendor\u2019s SSL VPN account for initial access to the IT network. It isn\u2019t known how the threat actor got hold of the vendor\u2019s credentials. But once inside, the hacker used Windows Remote Desktop Protocol (RDP) to install the Net Monitor for Employees Professional agent through PowerShell. The agent was then disguised as a legitimate system process with a name that mimicked Microsoft\u2019s OneDrive service. <\/p>\n

Shortly after that, the threat actor installed SimpleHelp as an additional persistent remote access channel. The SimpleHelp agent was also configured with monitoring triggers for cryptocurrency-related keywords, as well as searching for remote access tool keywords to determine whether anyone else was connecting to the compromised machine. The threat actor also used Net Monitor for network reconnaissance on a compromised domain controller.<\/p>\n

Ensure these risks are catalogued<\/h2>\n

Johannes Ullrich<\/a>, dean of research at the SANS Institute, said this report is an example of how corporate IT teams build infrastructure that attackers then abuse. It\u2019s known that employee monitoring software and security software have been misused like this in the past, he said. <\/p>\n

He pointed out that software including agents that reach out to remote systems to collect data can often execute code on those systems, so they can investigate suspect activity. But, he warned, if not properly controlled, they can be abused by an attacker to execute malicious code.<\/p>\n

CSOs must ensure that these risks are properly catalogued and mitigated,\u201d he said. \u201cAny actions performed by these agents must be monitored and, if possible, restricted. The abuse of these systems is a special case of \u2018living off the land\u2019 attacks. The attacker attempts to abuse valid existing software to perform malicious actions. This abuse is often difficult to detect.\u201d<\/p>\n

Asked for comment on the report, a spokesperson for NetworkLookout, the parent company of Net Monitor, noted in an email that the Net Monitor for Employees Agent can be installed only by a user who already has administrative privileges on the computer where the agent is to be installed. Without administrative privileges, the spokesperson added, \u201cinstallation isn\u2019t possible.\u201d<\/p>\n

\u201cSo,\u201d the spokesperson concluded, \u201cif you don\u2019t want our software installed on a computer, please ensure that administrative access is not granted to unauthorized users.\u201d<\/p>\n

What CSOs should do<\/h2>\n

Huntress analyst Pham said to defend against attacks combining Net Monitor for Employees Professional and SimpleHelp, infosec pros should inventory all applications so unapproved installations can be detected. Legitimate apps should be protected with robust identity and access management solutions, including multi-factor authentication.<\/p>\n

Net Monitor for Employees should only be installed on endpoints that don\u2019t have full access privileges to sensitive data or critical servers, she added, because it has the ability to run commands and control systems.<\/p>\n

She also noted that Huntress sees a lot of rogue remote management tools on its customers\u2019 IT networks, many of which have been installed by unwitting employees clicking on phishing emails. This points to the importance of security awareness training, she said.<\/p>\n

Infosec leaders should also note that in June 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that ransomware operators had leveraged unpatched instances of a vulnerability<\/a> in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. The advisory also provided advice on how to mitigate the risks, noting, \u201cThis incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A threat actor is abusing an employee monitoring application and a remote monitoring and management platform in an attempt to deploy ransomware and steal cryptocurrency. According to researchers at Huntress, the unknown threat actor is leveraging NetworkLookout\u2019s Net Monitor for Employees Professional \u2013 which, despite its name, includes remote access tools \u2013 and SimpleHelp, a suite of tools\u00a0commonly used by IT teams and managed service… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15793","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15793"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15793\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}