Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection
Cybersecurity NewsArchived Jun 13, 2026✓ Full text saved
A newly documented phishing campaign is using a legitimate remote management tool to silently take over victims’ computers, without deploying a single line of traditional malware. Researchers have uncovered an active operation targeting Brazilian organizations, where attackers trick employees into installing a real enterprise software agent that then hands full remote control to the threat […] The post Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection appeare
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection
By Tushar Subhra Dutta
June 12, 2026
A newly documented phishing campaign is using a legitimate remote management tool to silently take over victims’ computers, without deploying a single line of traditional malware.
Researchers have uncovered an active operation targeting Brazilian organizations, where attackers trick employees into installing a real enterprise software agent that then hands full remote control to the threat actors.
The campaign starts with a phishing email that looks completely routine. The link redirects the victim through a Google-based relay before landing on a fake business portal in Portuguese.
The site mimics document-access workflows that finance, procurement, and administrative employees handle every day, making it easy for targets to let their guard down.
What makes this attack particularly dangerous is what happens after the user clicks download. Instead of receiving a business document, the victim unknowingly installs a legitimate NinjaOne Remote Monitoring and Management (RMM) agent configured to connect back to attacker-controlled infrastructure.
Analysts at Cato CTRL, the threat research division of Cato Networks, identified this previously undocumented abuse chain and shared their findings in a report with Cyber Security News (CSN).
The campaign targeted at least one organization in the chemicals and advanced materials sector. The social engineering themes used, including fake fiscal records, supplier documents, and complaint-management portals, are broadly relevant across industries.
Attackers crafted phishing pages to reflect Brazilian business culture, using trusted local brand names and government service references to make the lure feel authentic.
Portions of the phishing infrastructure were still accessible as of June 3, 2026, even after responsible disclosure was made. The attackers invested significant effort in keeping researchers out and real victims in, making this a well-planned operation rather than an opportunistic one.
Hackers Abuse Legitimate NinjaOne RMM Software
Once a victim installs the NinjaOne agent, the attacker gains the same level of access a legitimate IT administrator would have over that endpoint.
This includes monitoring device activity, running remote commands, transferring files, deploying tools, and automating tasks, all through a trusted, digitally signed platform.
Since the the software is real and common in enterprise environments, most security tools do not flag it.
The downloaded file was named NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64, keeping the fiscal-document illusion alive right up to installation.
NinjaOne installer disguised as a fiscal documentNinjaOne installer disguised as a fiscal document (Source – CATO)
Victims are often contacted by phone and told to install what appears to be software required to access their document. This operator-guided method removes the need for exploits entirely and puts social engineering at the heart of the attack.
Anti-Analysis Infrastructure That Keeps Defenders Out
The phishing infrastructure is more sophisticated than it first appears. The pages use browser fingerprinting, sandbox detection, and geofencing to screen out researchers before delivering the payload.
During testing, the installer was only served to visitors from Brazilian IP addresses, sharply limiting visibility for anyone investigating from outside the region.
Payload delivery restricted to visitors originating from Brazil (Source – CATO)
Embedded JavaScript tracked mouse movements, touch interactions, and scrolling behavior to confirm a real human was present.
Developer comments written in Portuguese, such as “Bot preencheu o honeypot” meaning “The bot filled the honeypot,” revealed deliberate efforts to block analysis systems.
Once checks passed, the payload was silently delivered through a hidden iframe, and traces of the mechanism were cleaned up roughly 30 seconds later.
Honeypot validation logic (Source – CATO)
Despite these protections, researchers found an unexpected clue. Multiple attacker-controlled domains displayed the same Earth-themed wallpaper, and pivoting on that shared image filename exposed additional campaign infrastructure.
Shared wallpaper image discovered across multiple attacker-controlled domains (Source – CATO)
Investigators also found overlaps with infrastructure previously linked to Venon RAT, a Brazilian threat operation using Rust-based malware, though the connection stops short of definitive attribution.
Organizations should monitor for unauthorized installations of remote management software, particularly when users are asked to install software just to view a document.
Unusual requests tied to fiscal records, supplier communications, or complaint workflows should be treated with caution. Security teams are advised to alert employees in finance, procurement, and administrative roles, as they remain the most likely targets of this kind of attack.
Indicators of Compromise (IoCs):-
Type Indicator Description
Domain r64[.]org Attacker-controlled phishing infrastructure domain
Domain hairdb[.]com Attacker-controlled phishing infrastructure domain
Domain lazybearpottery[.]net Attacker-controlled phishing infrastructure domain
Domain rectalmania[.]com Attacker-controlled phishing infrastructure domain
Domain sefaz[.]services Phishing domain impersonating Brazilian SEFAZ tax authority
Domain reclameaqui[.]services Phishing domain impersonating Brazilian complaint platform Reclame Aqui
File Name NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64 NinjaOne installer disguised as a Brazilian fiscal document used to establish attacker-controlled remote access
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware
Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script
Anthropic’s Claude Services Down — claude.ai, Claude Code, and Cowork Affected [Updated]
Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser
Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server
Latest News
Cyber Security News
Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications
Tech News
Facebook and Instagram Down Globally, Users Reporting Multiple Issues
Cyber Security
Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks
Cyber Attack News
400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers
Cyber Security News
Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server Control