Huntress: ransomware gang abused employee-monitoring “bossware” and SimpleHelp to hunt crypto, then tried to drop Crazy ransomware Cybersecurity firm Huntress says attackers are increasingly weaponizing legitimate workforce-monitoring tools as covert remote access trojans (RATs) — and using them to hunt cryptocurrency before attempting ransomware deployments. In a new report covering two intrusions from late January and early February 2026, Huntress’ Tactical Response team describes how threat actors combined Net Monitor for Employees Professional with SimpleHelp to gain resilient access to corporate networks and search for crypto assets. What happened - In both incidents the adversary used Net Monitor for Employees Professional (made by NetworkLookout) as an initial foothold and then pulled down SimpleHelp, a remote-access tool, as a secondary persistence channel. That dual setup lets attackers survive takedowns of any single entry point and blend into normal administrative traffic. - In the first case Huntress investigators saw suspicious account manipulation (disabling Guest, enabling Administrator), multiple net commands to enumerate and create accounts, and a Net Monitor-linked binary spawning a pseudo-terminal to run commands. The attacker fetched SimpleHelp from an external IP, tried to tamper with Windows Defender, and attempted to drop multiple variants of Crazy ransomware (part of the VoidCrypt family). - In the second case attackers entered through a compromised vendor SSL VPN account, used RDP to a domain controller, then installed the Net Monitor agent from the vendor site. They customized service and process names to mimic legitimate Windows components (e.g., disguising services as OneDrive), installed SimpleHelp for backup access, and configured keyword-based monitoring rules specifically targeting cryptocurrency wallets, exchanges, payment platforms and other remote-access tools. Huntress says this shows clear financial motivation and deliberate defense evasion. Why this matters for crypto businesses - “Bossware” is widely deployed — estimates put adoption at about a third of UK firms and roughly 60% of US businesses — which makes these tools attractive prey for attackers. Monitoring agents that can take screenshots, track activity or execute remote shells easily become covert RATs when abused. - The keyword-based monitoring aimed at wallet addresses, exchanges and payment platforms highlights that the attackers were specifically hunting for crypto-related targets and credentials before trying to deploy ransomware or exfiltrate value. Vendor response and root causes - NetworkLookout told Decrypt the agent requires administrative privileges to install, saying installation “isn’t possible” without admin rights and advising organizations to restrict administrative access. - Huntress emphasized that the underlying problems are exposed perimeters and poor identity hygiene — compromised VPN accounts and excessive admin rights remain the primary enablers of these attacks. Context and precedent - This is not an isolated pattern: in April 2025 researchers found WorkComposer had exposed more than 21 million real-time screenshots in an unsecured cloud bucket, demonstrating how surveillance tools can leak sensitive data or be abused by attackers. Practical recommendations (for crypto firms, exchanges, custodians, vendors) - Limit administrative privileges and use least-privilege policies for endpoints. Prevent non-admin installations of monitoring agents. - Harden remote-access channels: enforce strong MFA, monitor for unusual VPN/RDP logins, and apply zero-trust network segmentation for vendor and third-party access. - Monitor for signs of abuse: unexpected service/process name changes, new persistent remote-access binaries, account creation/reset commands, and unusual outbound connections to external IPs. - Treat “bossware” like any privileged remote access tool — log its installations, audit its configuration, and only deploy trusted solutions with strict controls. - Backup detection and response: keep offline backups, maintain EDR/AV hygiene, and prepare incident response playbooks that include vendor-compromise scenarios. Bottom line Attackers are turning legitimate workforce-monitoring tools into stealthy RATs and combining them with commodity remote-access software to hunt for crypto and deploy ransomware. For organizations in the crypto ecosystem — where high-value credentials and funds are prime targets — tightening identity hygiene, limiting admin rights and treating monitoring software as high-risk software are critical defenses. Read more AI-generated news on: undefined/news

#BTC