Ransomware gangs are abusing legitimate employee monitoring software to break into business networks.
Security firm Huntress uncovered two recent incidents in which attackers used Net Monitor for Employees alongside remote management platform SimpleHelp to gain persistent access. Instead of custom malware, they relied on commercial tools to blend in with normal IT activity.
Net Monitor includes remote shell and command execution features. Huntress said attackers used it for “hands-on-keyboard reconnaissance” before attempting to deploy Crazy ransomware. In one case, access began through a compromised vendor SSL VPN account, with the monitoring agent disguised as a legitimate Windows service.
The attackers also configured SimpleHelp to monitor cryptocurrency-related keywords, indicating financial motives beyond ransomware alone. Huntress said the shared infrastructure and tactics “strongly suggest a single threat actor or group behind this activity.”
Businesses should tighten remote access controls, enforce multi-factor authentication and closely audit any monitoring or RMM software in use. These intrusions relied on stolen credentials and the misuse of trusted tools, not sophisticated zero-day exploits.