A newly documented phishing campaign is using a legitimate remote management tool to silently take over victims’ computers, without deploying a single line of traditional malware.
Researchers have uncovered an active operation targeting Brazilian organizations, where attackers trick employees into installing a real enterprise software agent that then hands full remote control to the threat actors.
The campaign starts with a phishing email that looks completely routine. The link redirects the victim through a Google-based relay before landing on a fake business portal in Portuguese.
The site mimics document-access workflows that finance, procurement, and administrative employees handle every day, making it easy for targets to let their guard down.
What makes this attack particularly dangerous is what happens after the user clicks download. Instead of receiving a business document, the victim unknowingly installs a legitimate NinjaOne Remote Monitoring and Management (RMM) agent configured to connect back to attacker-controlled infrastructure.
Analysts at Cato CTRL, the threat research division of Cato Networks, identified this previously undocumented abuse chain and shared their findings in a report with Cyber Security News (CSN).
The campaign targeted at least one organization in the chemicals and advanced materials sector. The social engineering themes used, including fake fiscal records, supplier documents, and complaint-management portals, are broadly relevant across industries.
Attackers crafted phishing pages to reflect Brazilian business culture, using trusted local brand names and government service references to make the lure feel authentic.
Portions of the phishing infrastructure were still accessible as of June 3, 2026, even after responsible disclosure was made. The attackers invested significant effort in keeping researchers out and real victims in, making this a well-planned operation rather than an opportunistic one.
Hackers Abuse Legitimate NinjaOne RMM Software
Once a victim installs the NinjaOne agent, the attacker gains the same level of access a legitimate IT administrator would have over that endpoint.
This includes monitoring device activity, running remote commands, transferring files, deploying tools, and automating tasks, all through a trusted, digitally signed platform.
Since the the software is real and common in enterprise environments, most security tools do not flag it.
The downloaded file was named NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64, keeping the fiscal-document illusion alive right up to installation.
.webp)
Victims are often contacted by phone and told to install what appears to be software required to access their document. This operator-guided method removes the need for exploits entirely and puts social engineering at the heart of the attack.
Anti-Analysis Infrastructure That Keeps Defenders Out
The phishing infrastructure is more sophisticated than it first appears. The pages use browser fingerprinting, sandbox detection, and geofencing to screen out researchers before delivering the payload.
During testing, the installer was only served to visitors from Brazilian IP addresses, sharply limiting visibility for anyone investigating from outside the region.
.webp)
Embedded JavaScript tracked mouse movements, touch interactions, and scrolling behavior to confirm a real human was present.
Developer comments written in Portuguese, such as “Bot preencheu o honeypot” meaning “The bot filled the honeypot,” revealed deliberate efforts to block analysis systems.
Once checks passed, the payload was silently delivered through a hidden iframe, and traces of the mechanism were cleaned up roughly 30 seconds later.
.webp)
Despite these protections, researchers found an unexpected clue. Multiple attacker-controlled domains displayed the same Earth-themed wallpaper, and pivoting on that shared image filename exposed additional campaign infrastructure.
.webp)
Investigators also found overlaps with infrastructure previously linked to Venon RAT, a Brazilian threat operation using Rust-based malware, though the connection stops short of definitive attribution.
Organizations should monitor for unauthorized installations of remote management software, particularly when users are asked to install software just to view a document.
Unusual requests tied to fiscal records, supplier communications, or complaint workflows should be treated with caution. Security teams are advised to alert employees in finance, procurement, and administrative roles, as they remain the most likely targets of this kind of attack.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | r64[.]org | Attacker-controlled phishing infrastructure domain |
| Domain | hairdb[.]com | Attacker-controlled phishing infrastructure domain |
| Domain | lazybearpottery[.]net | Attacker-controlled phishing infrastructure domain |
| Domain | rectalmania[.]com | Attacker-controlled phishing infrastructure domain |
| Domain | sefaz[.]services | Phishing domain impersonating Brazilian SEFAZ tax authority |
| Domain | reclameaqui[.]services | Phishing domain impersonating Brazilian complaint platform Reclame Aqui |
| File Name | NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64 | NinjaOne installer disguised as a Brazilian fiscal document used to establish attacker-controlled remote access |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection appeared first on Cyber Security News.