Cybersecurity researchers warn of a new campaign targeting Portuguese-speaking users in Brazil since January 2025, using fake emails and Dropbox links to distribute malicious RMM software. The attackers mainly target high-level employees across various sectors and exploit free trial periods of remote management tools to gain unauthorized access. (Affected: Brazilian organizations and systems)
Keypoints :
- Cybercriminals are distributing malicious remote monitoring and management (RMM) software through spam campaigns in Brazil.
- The spam messages impersonate financial and telecom institutions, using Brazilian electronic invoice (NF-e) themes to lure victims.
- Attackers utilize specially crafted emails with Dropbox links leading to malicious binaries, including RMM tools like N-able RMM and PDQ Connect.
- Extended remote capabilities of these RMM tools allow attackers to install additional malware such as ScreenConnect.
- The campaign primarily targets C-level executives and financial, HR, educational, and government organizations.
- Threat actors exploit free trial versions of RMM tools, often using initial access brokers to gain unauthorized entry.
- The abuse of signed RMM software and trial versions facilitates stealthy backdoor access, complicating detection efforts.
Read More: https://thehackernews.com/2025/05/initial-access-brokers-target-brazil.html