Share This:

Cybersecurity Threat AdvisoryA recent phishing campaign is using a legitimate remote access tool to take over victims’ computers, all without deploying malware. This active operation currently targets Brazilian organizations. Attackers trick employees into installing a legitimate software agent that hands over remote control to threat actors. Read the Cybersecurity Threat Advisory now to mitigate this risk.

What is the threat?

The campaign uses phishing pages tailored to the businesses it targets. It uses trusted local brand names and government service references to appear authentic.

According to analysts, the campaign begins with a phishing email that appears legitimate. The link redirects users through a Google-based relay before sending them to a fake business portal.

The site mimics document-access workflows commonly used by finance and administrative employees. This makes it easier for targets to let their guard down.

Why is it noteworthy?

This attack is particularly dangerous because, after the user clicks the download link, the victim unknowingly installs a legitimate NinjaOne Remote Monitoring and Management (RMM) agent configured to connect back to attacker-controlled infrastructure instead of receiving a business document.

The phishing infrastructure is also more sophisticated than it initially appears. The pages use browser fingerprinting, sandbox detection, and geofencing to screen out researchers before delivering the payload.

What is the exposure or risk?

So far, the campaign has targeted at least one Brazilian organization specializing in chemicals and advanced materials. However, the social engineering themes used, such as fake fiscal records, supplier documents, and complaint-management portals, are broadly relevant across industries.

Once the victim installs the NinjaOne agent, the attacker gains the same privileges a legitimate IT administrator would have over that endpoint, including the ability to monitor device activity, run remote commands, transfer files, and more.

What are the recommendations?

Barracuda recommends the following actions to mitigate the effects of this phishing campaign:

  • Monitor for unauthorized installations of remote management software, especially when users are asked to install software simply to view a document.
  • Treat unusual requests related to fiscal records, supplier communications, or complaint workflows with caution.
  • Alert employees in finance, procurement, and administrative roles about this phishing campaign and its tactics.
  • Verify unusual emails through a trusted communication channel before taking action.
  • Update your computer’s security software, run a scan, and remove any identified threats.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.


Share This:
Zachary Beaudet

Posted by Zachary Beaudet

Zachary is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Zachary supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.