Ransomware Hackers Targeting Employee Monitoring Software To Access Computers
Hackers are exploiting commercially available employee monitoring software, Net Monitor for Employees Professional, in combination with the remote access tool SimpleHelp, to gain persistent access to corporate systems and deploy ransomware, including the Crazy ransomware strain. The attacks, observed by Huntress in early 2026, leveraged legitimate features of the software—such as remote shell access, process masquerading, and silent installation—to avoid detection and maintain long-term access. Attackers gained entry through compromised VPN accounts or RDP access, installed the monitoring tools with administrator privileges, disguised processes as legitimate Windows services, and set up triggers to hunt for cryptocurrency-related activities. This method allows threat actors to blend with authorized IT activity, complicating detection. The underlying issue remains weak security practices, such as exposed perimeters and poor identity management. The widespread use of such "bossware" for productivity tracking, often with broad and intrusive capabilities, makes it a popular target for cybercriminals seeking to exploit trusted software for malicious purposes.
