Hackers Abuse Legitimate NinjaOne RMM Software in Brazilian Phishing Campaign
7 min. read 
Published on
Hackers are abusing legitimate NinjaOne Remote Monitoring and Management software in a phishing campaign targeting Brazilian organizations. Instead of dropping traditional malware, the attackers trick users into installing a real enterprise remote management agent configured for attacker-controlled access.
A new Cato CTRL report says the campaign uses Portuguese-language phishing pages, fake fiscal document workflows, and anti-analysis checks to reach real victims while keeping researchers and automated scanners away.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attack shows why security teams cannot rely only on malware detection. NinjaOne is a legitimate IT management platform, and NinjaOne Remote is designed to let administrators connect to endpoints remotely. In the wrong hands, that same trust can give attackers a quiet path into a company device.
Phishing Campaign Targets Brazilian Business Workflows
The campaign starts with phishing emails that point victims to document-themed pages in Portuguese. The lures imitate normal business tasks, including fiscal records, supplier communications, complaint-management portals, and secure document downloads.
Cato said the observed victim belonged to the chemicals and advanced materials sector, but the same lure could work across finance, procurement, accounting, and administrative teams. These employees often handle invoices, tax files, supplier documents, and protected business correspondence, which makes the fake portal feel routine.
The attackers also used a Googleusercontent-based redirection chain before sending victims to the phishing page. This extra step can make blocking and infrastructure tracking harder because the first visible hop can look like trusted third-party infrastructure.
| Stage | What the victim sees | What the attacker gains |
|---|---|---|
| Phishing email | A link to a business document or fiscal file | Initial access through social engineering |
| Fake portal | A Portuguese-language document verification page | Victim trust and interaction signals |
| Download step | A file that appears tied to a fiscal document | Delivery of a legitimate NinjaOne RMM installer |
| Installation | Software supposedly needed to open the document | Remote access to the endpoint |
Why NinjaOne Abuse Can Evade Traditional Detection
The downloaded file observed by researchers used the name NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64. The filename keeps the fiscal document theme alive and reduces the chance that a victim will question the installation.
Once installed, the attacker-controlled agent can provide remote access capabilities through a trusted platform. The official NinjaOne Remote product page describes remote access as a way to connect to endpoints, protect sessions with encryption and MFA, and resolve issues remotely.
That makes the campaign part of a wider trend known as living off trusted tools. The software itself does not need to be malicious for the activity to become dangerous. Attackers can use a legitimate tool to monitor systems, run commands, move files, deploy additional software, and maintain access.
- The installer comes from a legitimate remote management ecosystem.
- Security tools may treat the software as normal business software.
- The victim may install it willingly after phone-based or portal-based social engineering.
- The attacker can gain capabilities similar to a remote IT administrator.
Attackers Used Anti-Analysis Checks to Filter Visitors
The phishing infrastructure did not deliver the payload to every visitor. The campaign used geofencing, browser fingerprinting, sandbox checks, and user activity validation to decide whether a visitor looked like a real Brazilian target.
The Cato CTRL analysis says payload delivery was restricted to visitors from Brazilian IP ranges during testing. The infrastructure also tracked mouse movement, scrolling, touch interactions, and other activity that could separate real users from bots.
Researchers also found Portuguese-language comments in the JavaScript code, including a note that translates to “The bot filled the honeypot.” That detail shows the operators expected analysis attempts and designed the site to block them.
Remote Access Tool Abuse Is a Known Security Problem
MITRE ATT&CK tracks this behavior under Remote Access Software, also known as technique T1219. The technique covers adversaries using legitimate remote access tools to establish interactive command and control inside a network.
A joint CISA advisory from CISA, NSA, and MS-ISAC previously warned that malicious actors can abuse legitimate RMM software for persistence and command and control after gaining access through phishing or other methods.
The NinjaOne campaign follows that pattern closely. It does not depend on a software exploit. It depends on convincing a user that installing a remote management agent is part of a normal document-access process.
| Legitimate RMM use | Attacker abuse |
|---|---|
| Remote troubleshooting | Interactive access to the victim’s computer |
| Software deployment | Installation of additional tools |
| Asset inventory | Reconnaissance of systems and users |
| Automation and scripting | Execution of attacker-controlled tasks |
| File transfer | Movement of tools or stolen data |
Brazil-Focused Lures Used Fiscal and Complaint Themes
The campaign used domains and page themes that resembled Brazilian services and workflows. Researchers identified domains impersonating SEFAZ, Brazil’s state finance authority system, and Reclame Aqui, a widely known Brazilian consumer complaint platform.
These themes can work because they fit daily work patterns. A finance employee may expect fiscal documents. A procurement team may receive supplier files. An administrative employee may handle complaints or protected correspondence.
Researchers also found possible infrastructure overlap with Venon RAT activity targeting Brazilian users, but the evidence was not strong enough for definitive attribution. The more important point for defenders is operational: the campaign combines localized phishing, legitimate software abuse, and selective payload delivery.
Indicators Reported by Researchers
| Type | Indicator | Description |
|---|---|---|
| Domain | r64[.]org | Attacker-controlled phishing infrastructure |
| Domain | hairdb[.]com | Attacker-controlled phishing infrastructure |
| Domain | lazybearpottery[.]net | Attacker-controlled phishing infrastructure |
| Domain | rectalmania[.]com | Attacker-controlled phishing infrastructure |
| Domain | sefaz[.]services | Phishing domain impersonating a Brazilian fiscal workflow |
| Domain | reclameaqui[.]services | Phishing domain impersonating a Brazilian complaint workflow |
| File name | NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64 | NinjaOne installer disguised as a fiscal document |
How Organizations Can Reduce the Risk
Companies should treat unexpected RMM installations as high-priority alerts, especially when the user says they installed software to access a document, invoice, tax record, supplier file, or complaint notice.
The CISA advisory recommends monitoring for unauthorized RMM software, reviewing network connections, and applying controls that limit which remote access tools can run in an environment.
Security teams can also map detections to MITRE ATT&CK technique T1219 to make sure alerts cover legitimate remote access software, not just custom malware or known remote access Trojans.
- Keep an approved list of RMM tools and block unapproved agents.
- Alert on new remote access software installations outside IT-managed deployment channels.
- Train finance, procurement, accounting, and administrative users to reject document workflows that require software installation.
- Review endpoint logs for unexpected remote sessions, scripts, file transfers, and agent enrollment events.
- Use phishing-resistant MFA and restrict administrative privileges on user workstations.
The campaign underlines a simple security reality. Attackers do not always need malware when they can convince users to install legitimate remote management software for them.
FAQ
It is a Brazil-focused phishing campaign in which attackers trick victims into installing a legitimate NinjaOne Remote Monitoring and Management agent disguised as a fiscal or business document. Once installed, the agent can provide attacker-controlled remote access.
Legitimate RMM software is commonly used by IT teams, so security tools may not flag it as malware. If attackers control the agent, they can gain remote access, run commands, transfer files, deploy tools, and monitor the endpoint.
Researchers observed the campaign targeting Brazilian organizations. The lures focused on business workflows common in finance, procurement, accounting, and administrative roles, including fiscal documents, supplier communications, and complaint-related portals.
The phishing infrastructure used geofencing, browser fingerprinting, sandbox checks, honeypot logic, and user activity validation. During testing, payload delivery was restricted to visitors from Brazilian IP ranges.
Organizations should monitor for unauthorized RMM installations, maintain an approved remote access tool list, alert on unusual agent enrollment, review remote session activity, and train employees not to install software just to access a document.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages