Article Details

Initial Access Brokers Target Brazil Execs via NF-e Spam and Legit RMM Trials. Cybersecurity researchers are warning of a new campaign that's targeting Portuguese-speaking users in Brazil with trial versions of commercial remote monitoring and management (RMM) software since January 2025. "The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox," Cisco Talos researcher Guilherme Venere said in a Thursday report. The attack chains begin with specially crafted spam emails that claim to originate from financial institutions or cell phone carriers, warning of overdue bills or outstanding payments in order to trick users into clicking on bogus Dropbox links that point to a binary installer for the RMM tool. Two notable RMM tools observed are N-able RMM Remote Access and PDQ Connect, granting attackers the ability to read and write files to the remote file system. In some cases, the threat actors then use the remote capabilities of these agents to download and install an additional RMM software such as ScreenConnect after the initial compromise. Based on the common recipients observed, the campaign has been found to mainly target C-level executives and financial and human resources account across several industries, including some educational and government institutions. It has also been assessed with high confidence that the activity is the work of an initial access broker (IAB) that's abusing the free trial periods associated with various RMM programs to gain unauthorized access. N-able has since taken steps to disable the affected trial accounts. "Adversaries' abuse of commercial RMM tools has steadily increased in recent years," Venere said. "These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor." "They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application." The development comes amid the emergence of various phishing campaigns that are engineered to sidestep modern defenses and propagate a wide range of malware families, or collect victims' credentials - "Attackers continuously evolve tactics to bypass modern email and endpoint security solutions, making detecting and mitigating phishing attempts increasingly difficult," Intezer researcher Yuval Guri noted last month. "And despite advancements in cybersecurity tools, many phishing campaigns still successfully reach users' inboxes."