Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

May 8, 2025, 6:46 p.m.

Description

A spam campaign targeting Brazilian users, particularly C-level executives and financial/HR accounts, has been identified since January 2025. The campaign exploits commercial remote monitoring and management (RMM) tools, specifically PDQ Connect and N-able remote access tools. Attackers use Brazilian electronic invoice system (NF-e) as bait, leading victims to malicious content on Dropbox. The threat actor, likely an initial access broker, abuses free trial periods of RMM tools to gain complete control of target machines. The campaign's objective is to create a network of compromised machines for potential sale to third parties, including ransomware operators and state-sponsored actors. The abuse of commercial RMM tools is increasing due to their digital signatures, full backdoor capabilities, and low cost.

External References

https://blog.talosintelligence.com/spam-campaign-targeting-brazil-abuses-rmm-tools
https://otx.alienvault.com/pulse/681cca01d5614df4fe6476e9
Tags
dropbox
rmm
spam
initial access broker
2025-05-08
nf-e
n-able
screen connect
pdq connect

Date

  • Created: May 8, 2025, 3:13 p.m.
  • Published: May 8, 2025, 3:13 p.m.
  • Modified: May 8, 2025, 6:46 p.m.

Indicators

  • f68ae2c1d42d1b95e3829f08a516fb1695f75679fcfe0046e3e14890460191cf
  • f5efd939372f869750e6f929026b7b5d046c5dad2f6bd703ff1b2089738b4d9c
  • f52b4d81c73520fd25a2cc9c6e0e364b57396e0bb782187caf7c1e49693bebbf
  • ebdefa6f88e459555844d3d9c13a4d7908c272128f65a12df4fb82f1aeab139f
  • e34b8c9798b92f6a0e2ca9853adce299b1bf425dedb29f1266254ac3a15c87cd
  • e2171735f02f212c90856e9259ff7abc699c3efb55eeb5b61e72e92bea96f99c
  • d1efebcca578357ea7af582d3860fa6c357d203e483e6be3d6f9592265f3b41c
  • ca11eb7b9341b88da855a536b0741ed3155e80fc1ab60d89600b58a4b80d63a5
  • c484d3394b32e3c7544414774c717ebc0ce4d04ca75a00e93f4fb04b9b48ecef
  • b53f9c2802a0846fc805c03798b36391c444ab5ea88dc2b36bffc908edc1f589
  • a71e274fc3086de4c22e68ed1a58567ab63790cc47cd2e04367e843408b9a065
  • a2c17f5c7acb05af81d4554e5080f5ed40b10e3988e96b4d05c4ee3e6237c31a
  • 79b041cedef44253fdda8a66b54bdd450605f01bbb77ea87da31450a9b4d2b63
  • 63cde9758f9209f15ee4068b11419fead501731b12777169d89ebb34063467ea
  • 57a90105ad2023b76e357cf42ba01c5ca696d80a82f87b54aea58c4e0db8d683
  • 527a40f5f73aeb663c7186db6e8236eec6f61fa04923cde560ebcd107911c9ff
  • 51fa1d7b95831a6263bf260df8044f77812c68a9b720dad7379ae96200b065dd
  • 4787df4eea91d9ceb9e25d9eb7373d79a0df4a5320411d7435f9a6621da2fd6b
  • 2850a346ecb7aebee3320ed7160f21a744e38f2d1a76c54f44c892ffc5c4ab77
  • 14c1cb13ffc67b222b42095a2e9ec9476f101e3a57246a1c33912d8fe3297878
  • 1182b8e97daf59ad5abd1cb4b514436249dd4d36b4f3589b939d053f1de8fe23
  • 0de612ea433676f12731da515cb16df0f98817b45b5ebc9bbf121d0b9e59c412
  • 080e29e52a87d0e0e39eca5591d7185ff024367ddaded3e3fd26d3dbdb096a39
  • 0759b628512b4eaabc6c3118012dd29f880e77d2af2feca01127a6fcf2fbbf10
  • 03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e
  • 198.45.54.34
Download all indicators here!

Attack Patterns

Additional Informations

  • Education
  • Government
  • Brazil