Targeting Brazilian Executives: Initial Access Brokers Exploit NF-e Spam and Authorized RMM Trials

Cybersecurity experts have raised alarms over a new campaign aimed at Portuguese-speaking users in Brazil, distributing trial versions of commercial remote monitoring and management (RMM) software since January 2025.

The campaign employs spam messages, falsely purporting to come from financial institutions or mobile service providers, that warn recipients of overdue bills or outstanding payments. These messages entice users to click on malicious links hosted on Dropbox, which lead to downloading a binary installer for the RMM tool.

Two significant RMM tools identified in this campaign are N-able RMM Remote Access and PDQ Connect. These applications provide cybercriminals with capabilities to read and write files to the remote file system of infected machines. Following the initial breach, attackers may leverage these remote capabilities to install additional RMM software, such as ScreenConnect.

The campaign appears to predominantly affect C-level executives and financial and human resources personnel across various sectors, including educational and government institutions. High confidence assessments indicate that this activity is driven by an initial access broker (IAB) exploiting the free trial periods of various RMM programs to facilitate unauthorized access. In response to this exploitation, N-able has taken measures to disable the affected trial accounts.

The increasing misuse of commercial RMM tools by adversaries has been noted, as these applications are typically digitally signed by recognized entities and serve as fully functional backdoors with minimal cost implications since they are often provided for free during trial periods.

This development coincides with a rise in phishing campaigns designed to evade contemporary security defenses while disseminating a variety of malware or harvesting victims’ credentials. This includes a campaign by the South American cybercrime group Hive0148, focusing on the distribution of the Grandoreiro banking trojan among users in Mexico and Costa Rica.

Additionally, other phishing campaigns involve legitimate file-sharing services to bypass security measures, employing tactics such as sales order-themed lures to deliver Formbook malware via vulnerable Microsoft Word documents.

Researchers also identified campaigns targeting organizations in Spain, Italy, and Portugal that utilize invoice-related themes to deploy a Java-based remote access trojan named Ratty RAT, which can execute remote commands, log keystrokes, capture screenshots, and extract sensitive information.

The continuous evolution of tactics by attackers to circumvent modern email and endpoint security measures highlights the challenge of detecting and mitigating phishing attempts. Despite advancements in cybersecurity technologies, many phishing campaigns still manage to infiltrate users’ inboxes, underscoring the persistent need for robust security practices and awareness.