Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection
A phishing campaign targeting Brazilian organizations uses legitimate NinjaOne RMM software to gain remote control of endpoints without deploying traditional malware, evading security tools.
A newly documented phishing campaign is using a legitimate remote management tool to silently take over victims' computers, without deploying a single line of traditional malware. Researchers have uncovered an active operation targeting Brazilian organizations, where attackers trick employees into installing a real enterprise software agent that then hands full remote control to the threat actors.
The campaign starts with a phishing email that looks completely routine. The link redirects the victim through a Google-based relay before landing on a fake business portal in Portuguese. The site mimics document-access workflows that finance, procurement, and administrative employees handle every day, making it easy for targets to let their guard down.
What makes this attack particularly dangerous is what happens after the user clicks download. Instead of receiving a business document, the victim unknowingly installs a legitimate NinjaOne Remote Monitoring and Management (RMM) agent configured to connect back to attacker-controlled infrastructure. Analysts at Cato CTRL, the threat research division of Cato Networks, identified this previously undocumented abuse chain and shared their findings in a report with Cyber Security News (CSN).
The campaign targeted at least one organization in the chemicals and advanced materials sector. The social engineering themes used, including fake fiscal records, supplier documents, and complaint-management portals, are broadly relevant across industries. Attackers crafted phishing pages to reflect Brazilian business culture, using trusted local brand names and government service references to make the lure feel authentic.
Once a victim installs the NinjaOne agent, the attacker gains the same level of access a legitimate IT administrator would have over that endpoint. This includes monitoring device activity, running remote commands, transferring files, deploying tools, and automating tasks, all through a trusted, digitally signed platform. Since the software is real and common in enterprise environments, most security tools do not flag it.
The phishing infrastructure is more sophisticated than it first appears. The pages use browser fingerprinting, sandbox detection, and geofencing to screen out researchers before delivering the payload. During testing, the installer was only served to visitors from Brazilian IP addresses, sharply limiting visibility for anyone investigating from outside the region. Embedded JavaScript tracked mouse movements, touch interactions, and scrolling behavior to confirm a real human was present.
Despite these protections, researchers found an unexpected clue. Multiple attacker-controlled domains displayed the same Earth-themed wallpaper, and pivoting on that shared image filename exposed additional campaign infrastructure. Investigators also found overlaps with infrastructure previously linked to Venon RAT, a Brazilian threat operation using Rust-based malware, though the connection stops short of definitive attribution.
Organizations should monitor for unauthorized installations of remote management software, particularly when users are asked to install software just to view a document. Unusual requests tied to fiscal records, supplier communications, or complaint workflows should be treated with caution. Security teams are advised to alert employees in finance, procurement, and administrative roles, as they remain the most likely targets of this kind of attack.