Do Son 
N-able file manager
Since the beginning of 2025, Cisco Talos specialists have been tracking a new malicious campaign targeting Portuguese-speaking users in Brazil. The attackers are leveraging trial versions of legitimate remote monitoring and management (RMM) software to establish persistent and inconspicuous control over victims’ devices.
Cybercriminals distribute fraudulent emails crafted to resemble overdue payment notices from financial institutions and mobile service providers. These messages incorporate elements of Brazil’s widely used electronic invoicing system, NF-e, lending them a convincing appearance. Within the body of each message lies a Dropbox-hosted link—leading, in reality, to an installer for remote administration software.
The attackers primarily employ tools such as N-able RMM Remote Access and PDQ Connect. Once installed, these utilities grant the adversaries the ability to read from and write to infected systems. In some stages of the campaign, additional RMM programs—such as ScreenConnect—are deployed to further deepen their control.
The investigation revealed that the campaign specifically targets personnel in finance, human resources, and management departments, including executive leadership. Victims span both private-sector organizations and governmental and academic institutions. All signs point to the operation of an initial access broker (IAB), exploiting free trial versions of RMM tools to infiltrate corporate networks. In response, N-able has since deactivated the compromised trial accounts.
The principal danger of this method lies in its subtlety: the software is digitally signed by reputable vendors, rendering it virtually invisible to conventional security solutions. Moreover, the cost to the attackers is negligible, as the entire toolkit is legally provided under trial licenses by the software vendors themselves.
Despite advances in cybersecurity, phishing campaigns continue to slip past filters and reach inboxes. Threat actors relentlessly refine their techniques, and the use of legitimate software as a Trojan horse makes these attacks particularly difficult to detect.
Donate