A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco Talos, active since at least January 2025.
This campaign exploits commercial remote monitoring and management (RMM) tools, such as PDQ Connect and N-able Remote Access, to gain unauthorized access to victims’ systems.
The attackers, identified with high confidence as initial access brokers (IABs), use deceptive tactics to distribute malicious installers disguised as legitimate files related to Brazil’s electronic invoice system, NF-e.
.png
)
These spam messages, often posing as notifications from financial institutions or cell phone providers about overdue bills or payment receipts, lure users into clicking malicious links hosted on Dropbox.
Once clicked, these links download executable files with names like “AGENT_NFe_<random>.exe” or “Boleto_NFe_<random>.exe,” which install the RMM tools, granting attackers full remote control over the compromised systems.
The primary targets include C-level executives, financial, and human resources personnel across industries, including educational and government institutions, amplifying the potential impact of these attacks.
Abusing Free Trials for Malicious Gain
Cisco Talos’s investigation reveals that the threat actors exploit the free trial periods of RMM tools, typically lasting 15 days, to orchestrate their attacks with minimal cost.
By registering trial accounts using free email services like Gmail or Proton Mail, and occasionally compromised personal accounts, the attackers create and distribute malicious agents without relying on stolen credentials.
Testing by Talos confirmed that trial versions of tools like N-able Remote Access offer unrestricted features, including remote desktop access, command execution, screen streaming, keystroke capture, and file management capabilities.
Post-infection, the attackers often install additional RMM tools or disable security software, maintaining access for days before executing further malicious actions or selling access to third parties, such as ransomware operators or state-sponsored actors.
The network traffic generated by these tools blends with legitimate HTTPS communications, using domains like “upload1.am.remote.management” hosted on AWS, making detection and attribution challenging.
While N-able has disabled affected trial accounts, the increasing abuse of such tools signals a growing trend in cyber threats.
Cisco’s security solutions, including Secure Endpoint, Secure Email, and Secure Firewall, offer robust defenses against this campaign by detecting and blocking malicious activities and binaries.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| Network IOCs | hxxps://upload1[.]am[.]remote[.]management/ |
| hxxps://upload2[.]am[.]remote[.]management/ | |
| hxxps://upload3[.]am[.]remote[.]management/ | |
| hxxps://upload4[.]am[.]remote[.]management/ | |
| 198[.]45[.]54[.]34[.]bc[.]googleusercontent[.]com | |
| RMM Installer Hashes | 03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e (Example) |
| Additional hashes available on Cisco Talos GitHub repository |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
