A threat actor is abusing an employee monitoring application and a remote monitoring and management platform in an attempt to deploy ransomware and steal cryptocurrency.
According to researchers at Huntress, the unknown threat actor is leveraging NetworkLookout’s Net Monitor for Employees Professional – which, despite its name, includes remote access tools – and SimpleHelp, a suite of tools commonly used by IT teams and managed service providers for remote monitoring and management.
These applications might already be in use in an IT environment, or are downloaded by the attacker once they get network access.
In one case, the attack chain culminated in an attempted deployment of Crazy ransomware. In another, the combination of applications was used to hunt for cryptocurrency-related keywords on the victim’s compromised computer.
The combination of these two applications is unique, says Huntress, although SimpleHelp has a history of being abused by hackers as a post-exploitation persistence mechanism. It offers a lightweight agent, support for gateway redundancy, and ability to operate over common ports. Net Monitor for Employees, whose purpose is to catch employees wasting work time on illegal activity, is used here as a primary remote access channel. To a threat actor, it offers reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms.
Anna Pham, a Huntress senior tactical response analyst, called the combination of the two applications for attacks “dangerous,” particularly because in one case the threat actor got access to the victim’s IT infrastructure through a vendor’s compromised VPN account.
Using applications and tools already on the network that might appear legitimate to IT to disguise attacks, also known as a ‘living off the land’ strategy, is “very clever and sneaky,” she added.
Two attacks discovered
Huntress discovered two incidents using this tactic, one late in January and one early this month. Shared infrastructure, overlapping indicators of compromise, and consistent tradecraft across both cases make Huntress strongly believe a single threat actor or group was behind this activity.
In the first case, Huntress detected suspicious account manipulation on a customer’s computer via Net Monitor For Employees, which included attempts to reset passwords and create additional accounts. The application was already in use in the environment.
How the attacker got into Net Monitor isn’t clear. But their next step was to use it to download the SimpleHelp remote management agent, which was used to execute a number of commands, including tampering with Windows Defender to evade detection. That was unsuccessful, but it didn’t stop the threat actor from then trying to deploy the Crazy strain of ransomware.
In the second case, also involving a Huntress customer, the threat actor leveraged a compromised vendor’s SSL VPN account for initial access to the IT network. It isn’t known how the threat actor got hold of the vendor’s credentials. But once inside, the hacker used Windows Remote Desktop Protocol (RDP) to install the Net Monitor for Employees Professional agent through PowerShell. The agent was then disguised as a legitimate system process with a name that mimicked Microsoft’s OneDrive service.
Shortly after that, the threat actor installed SimpleHelp as an additional persistent remote access channel. The SimpleHelp agent was also configured with monitoring triggers for cryptocurrency-related keywords, as well as searching for remote access tool keywords to determine whether anyone else was connecting to the compromised machine. The threat actor also used Net Monitor for network reconnaissance on a compromised domain controller.
Ensure these risks are catalogued
Johannes Ullrich, dean of research at the SANS Institute, said this report is an example of how corporate IT teams build infrastructure that attackers then abuse. It’s known that employee monitoring software and security software have been misused like this in the past, he said.
He pointed out that software including agents that reach out to remote systems to collect data can often execute code on those systems, so they can investigate suspect activity. But, he warned, if not properly controlled, they can be abused by an attacker to execute malicious code.
CSOs must ensure that these risks are properly catalogued and mitigated,” he said. “Any actions performed by these agents must be monitored and, if possible, restricted. The abuse of these systems is a special case of ‘living off the land’ attacks. The attacker attempts to abuse valid existing software to perform malicious actions. This abuse is often difficult to detect.”
Asked for comment on the report, a spokesperson for NetworkLookout, the parent company of Net Monitor, noted in an email that the Net Monitor for Employees Agent can be installed only by a user who already has administrative privileges on the computer where the agent is to be installed. Without administrative privileges, the spokesperson added, “installation isn’t possible.”
“So,” the spokesperson concluded, “if you don’t want our software installed on a computer, please ensure that administrative access is not granted to unauthorized users.”
What CSOs should do
Huntress analyst Pham said to defend against attacks combining Net Monitor for Employees Professional and SimpleHelp, infosec pros should inventory all applications so unapproved installations can be detected. Legitimate apps should be protected with robust identity and access management solutions, including multi-factor authentication.
Net Monitor for Employees should only be installed on endpoints that don’t have full access privileges to sensitive data or critical servers, she added, because it has the ability to run commands and control systems.
She also noted that Huntress sees a lot of rogue remote management tools on its customers’ IT networks, many of which have been installed by unwitting employees clicking on phishing emails. This points to the importance of security awareness training, she said.
Infosec leaders should also note that in June 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that ransomware operators had leveraged unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. The advisory also provided advice on how to mitigate the risks, noting, “This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.”