Cybercriminals are exploiting Net Monitor for Employees and SimpleHelp to initiate ransomware and cryptocurrency theft operations.
<div class="media-with-label__label">
Credit: Shutterstock/Elnur </div>
</figure>
</div>
</div>
</div>
</div>Cyberattackers are misusing an employee surveillance tool and a remote management platform in an effort to deploy ransomware and illicitly acquire cryptocurrency.
As reported by Huntress researchers, an unidentified threat group is exploiting NetworkLookout’s Net Monitor for Employees Professional—a program that, despite its title, incorporates remote access capabilities—along with SimpleHelp, a comprehensive toolkit frequently employed by IT departments and MSPs for remote oversight and control.
Such applications may either be pre-existing within an IT infrastructure or be introduced by attackers after gaining initial network access.
One instance saw the attack sequence conclude with an attempted deployment of Crazy ransomware. In a separate incident, these combined applications were utilized to search for cryptocurrency-related terms on the victim’s compromised system.
The pairing of these two particular applications is considered unusual by Huntress, despite SimpleHelp’s known history of being exploited by malicious actors for post-exploitation persistence. SimpleHelp provides a minimal agent, supports redundant gateways, and can function across standard ports. Net Monitor for Employees, designed to identify unproductive or illicit employee activities, is employed in these attacks as the primary remote access conduit. For cybercriminals, it provides reverse connections through common ports, conceals processes and service names, facilitates integrated shell execution, and allows for stealthy deployment using typical Windows installation methods.
Anna Pham, a senior tactical response analyst at Huntress, described the combined use of these two applications for attacks as “perilous,” especially since one incident involved the threat actor gaining entry to the victim’s IT environment via a compromised VPN account belonging to a third-party vendor.
Employing existing network applications and utilities that might seem legitimate to IT professionals to mask malicious activities, a tactic known as ‘living off the land,’ is deemed ‘extremely astute and deceptive,’ she commented.
Discovery of Two Attack Incidents
Huntress uncovered two separate incidents utilizing this method: one in late January and another earlier this month. The common infrastructure, similar indicators of compromise, and consistent modus operandi across both suggest that a single threat actor or collective is responsible.
During the initial incident, Huntress observed suspicious account activity on a client’s computer conducted through Net Monitor For Employees, involving attempts to reset passwords and establish new user accounts. This application was already operational within the network.
The method by which the attacker accessed Net Monitor remains uncertain. However, their subsequent action involved using it to download the SimpleHelp remote management agent. This agent was then utilized to execute various commands, such as attempts to disable Windows Defender for detection evasion. Although these efforts were unsuccessful, the threat actor proceeded to try and deploy the Crazy strain of ransomware.
In the second scenario, also concerning a Huntress client, the threat actor exploited a compromised SSL VPN account belonging to a vendor to gain initial entry into the IT network. The means by which the threat actor obtained the vendor’s credentials is unknown. Once inside, the intruder employed Windows Remote Desktop Protocol (RDP) to install the Net Monitor for Employees Professional agent via PowerShell. This agent was subsequently cloaked as a genuine system process, adopting a name similar to Microsoft’s OneDrive service.
Soon after, the threat actor deployed SimpleHelp to establish an additional, persistent remote access pathway. The SimpleHelp agent was further configured with monitoring alerts for terms associated with cryptocurrency and was used to seek out keywords related to remote access tools, aiming to identify if other parties were connecting to the compromised system. Furthermore, the threat actor utilized Net Monitor for network reconnaissance on a compromised domain controller.
Categorizing and Addressing These Risks
Johannes Ullrich, research dean at the SANS Institute, commented that this report illustrates how organizational IT infrastructures can be constructed in ways that later become targets for attacker exploitation. He noted that employee monitoring and security software have previously been subjected to similar forms of misuse.
Ullrich highlighted that software, particularly agents designed to connect with remote systems for data collection, frequently possesses the capability to execute code on those systems to investigate suspicious actions. However, he cautioned that without adequate control, these tools can be hijacked by attackers to run malicious code.
“Chief Security Officers (CSOs) are responsible for ensuring these dangers are thoroughly documented and addressed,” he stated. “All operations conducted by these agents must be observed and, where feasible, limited. The exploitation of such systems represents a distinct form of ‘living off the land’ attack, where the assailant seeks to misuse legitimate, pre-existing software for harmful purposes. This type of exploitation frequently proves challenging to identify.”
When contacted for comment on the report, a representative from NetworkLookout, the developer of Net Monitor, clarified via email that the Net Monitor for Employees Agent requires a user to possess administrative rights on the target computer for installation. The spokesperson further stated, “installation is not feasible” without these elevated privileges.
“Therefore,” the spokesperson concluded, “to prevent our software from being installed on a particular computer, it is imperative to ensure that unauthorized individuals are not granted administrative access.”
Recommendations for CSOs
Huntress analyst Pham advised that to counteract attacks leveraging Net Monitor for Employees Professional and SimpleHelp, information security professionals ought to catalog all applications to identify unauthorized installations. Furthermore, legitimate applications should be secured with strong identity and access management protocols, including multi-factor authentication.
She further advised that Net Monitor for Employees should be deployed exclusively on endpoints lacking complete access privileges to confidential data or essential servers, given its capacity to execute commands and manage systems.
Pham additionally observed that Huntress frequently encounters numerous unauthorized remote management tools across its clients’ IT networks, often installed by unsuspecting employees who have clicked on phishing emails. This underscores the critical need for comprehensive security awareness training, she emphasized.
Information security leaders should also be aware that in June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a caution indicating that ransomware groups had exploited unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) to breach the systems of a utility billing software vendor’s clients. The advisory offered guidance on risk mitigation, stating, “This event signifies a wider trend of ransomware attackers focusing on organizations via unpatched SimpleHelp RMM versions since January 2025.”
This content was originally published on CSOonline.
