A sophisticated cyber attack employing legitimate remote management software has been uncovered, targeting organizations in Brazil. The operation, which bypasses traditional malware detection, exploits NinjaOne, a genuine enterprise tool, to gain unauthorized control over computer systems.
Phishing Campaign Targets Brazilian Organizations
Security researchers have identified a phishing campaign that deceives employees into installing a legitimate software agent. This agent then provides attackers with complete remote access to the victims’ systems. The attack begins with a seemingly ordinary phishing email, redirecting victims through a Google-based relay to a fake Portuguese business portal.
The deceptive portal imitates routine document-access procedures familiar to employees in finance, procurement, and administration, thereby lowering their defenses. Once users click to download what they believe is a business document, they inadvertently install the NinjaOne Remote Monitoring and Management (RMM) agent, configured to connect to the attacker’s infrastructure.
Advanced Social Engineering Techniques
The threat was first identified by analysts at Cato CTRL, the research division of Cato Networks, who disclosed their findings in a report to Cyber Security News. This campaign has targeted at least one entity in the chemicals and advanced materials sector, using broadly applicable themes like fake fiscal records and supplier documents to lure victims.
Phishing pages were crafted to resonate with the Brazilian business culture, incorporating references to well-known local brands and government services for an authentic feel. Despite responsible disclosure, parts of the phishing infrastructure remained active as of June 3, 2026, highlighting its sophisticated design to exclude researchers while ensnaring actual targets.
Implications for Enterprise Security
Upon installation of the NinjaOne agent, attackers gain the same level of control as a legitimate IT administrator. This includes monitoring activities, executing remote commands, transferring files, and deploying tools, all facilitated by a trusted and digitally signed platform. Due to the software’s legitimacy, it often bypasses most security defenses.
The downloaded file, disguised as a fiscal document, reinforces the illusion of authenticity. Victims are sometimes contacted by phone to install what appears to be necessary software for document access, eliminating the need for traditional exploits and emphasizing social engineering.
Recommendations for Organizations
The phishing infrastructure employed advanced techniques such as browser fingerprinting and geofencing to filter out security researchers. The payload was only delivered to visitors from Brazilian IP addresses, significantly reducing outsider visibility. JavaScript was used to confirm human interaction, and the payload was delivered silently through a hidden iframe.
Despite these defenses, researchers found clues that exposed additional infrastructure elements, including shared image files across multiple domains. Connections with previous campaigns, such as Venon RAT, were noted, although definitive attribution remains elusive.
Organizations are advised to monitor for unauthorized remote management software installations, especially if software is required to view documents. Unusual requests associated with fiscal records or supplier communications should be scrutinized. Security teams should inform employees in vulnerable roles, such as finance and procurement, to remain vigilant against such attacks.
For more updates on cybersecurity, follow us on Google News, LinkedIn, and X, and set CSN as your preferred source.
