ransomware🌐InternationalCSO Online
Threat Actors Abuse Legitimate IT Tools for Ransomware, Crypto Theft
Friday, February 13, 2026
What
Threat actors are employing a "living off the land" strategy by abusing legitimate remote monitoring tools, Net Monitor for Employees and SimpleHelp. This tactic allows them to deploy Crazy ransomware or search for cryptocurrency-related keywords, making detection challenging as the tools appear legitimate.
Where
Huntress customers' IT environments, including compromised domain controllers and vendor SSL VPN accounts.
When
Discovered late January and early February by Huntress.
Key Factors
- •The threat actor utilizes Net Monitor for Employees Professional as a primary remote access channel and SimpleHelp for post-exploitation persistence, often installing them after initial access via compromised VPN or RDP.
- •Attacks involved either the attempted deployment of Crazy ransomware or configuring SimpleHelp to search for cryptocurrency-related keywords and perform network reconnaissance on domain controllers.
- •This "living off the land" approach makes detection difficult as attackers leverage tools that may already be present or appear legitimate to IT staff, disguising malicious activity.
Takeaways
- →Implement robust application inventory and monitoring to detect unauthorized installations or suspicious activity from legitimate remote management tools.
- →Strengthen identity and access management (IAM), including MFA, for all legitimate applications and vendor accounts to prevent initial access via compromised credentials.
Read Full Article
Opens original article on CSO Online
