Everything looked so official that no one even thought to double-check the link.
Since the beginning of 2025, Cisco Talos experts have been tracking a new malicious campaign targeting Portuguese-speaking users in Brazil. The attack leverages trial versions of legitimate corporate remote monitoring and management (RMM) software to establish persistent and stealthy control over victims’ devices.
Cybercriminals send fake emails posing as debt notifications from financial institutions and mobile operators. These messages use Brazil’s widely adopted NF-e electronic invoicing system, lending credibility to the communication. The email contains a link to a file hosted on Dropbox — essentially an installer for remote admin tools.
The primary remote access tools used include N-able RMM Remote Access and PDQ Connect. Once installed, they allow attackers to read and write files on the compromised system. In some cases, attackers deploy additional RMM programs, such as ScreenConnect, to broaden their control over the infected machine.
Research shows that the main targets are employees in financial, HR, and executive departments — including senior management. Victims include private companies as well as government and educational institutions. All signs point to the involvement of an Initial Access Broker (IAB) using free trial versions of RMM tools to infiltrate corporate networks. N-able has already blocked the compromised trial accounts.
The main danger of this approach lies in the fact that the software used is signed with digital certificates from reputable vendors, which rarely raises alarms from security systems. Moreover, these attacks cost the criminals virtually nothing — all the tools are provided by the vendors as part of their trial periods.
Despite advances in cybersecurity, many phishing attacks still bypass filters and reach users' inboxes. Threat actors continuously evolve their methods, and the use of legitimate software as a trojan horse makes such attacks especially difficult to detect.
