Brazilian Executives Under Attack in NF-e Invoice Scam Using RMM Software Trials

Security experts are sounding the alarm about a fresh wave of phishing attacks hitting Portuguese-speaking users in Brazil. Since January 2025, these campaigns have been using trial versions of remote monitoring and management (RMM) software to gain access to systems.

According to Cisco Talos researcher Guilherme Venere, "The spam message uses the Brazilian electronic invoice system, NF-e, as bait. It tricks users into clicking links that lead to malicious content hosted on Dropbox." You can read the full report here.

So, how does it work? The attacks start with carefully crafted spam emails disguised as messages from banks or cell phone companies. They warn about unpaid bills or outstanding payments, hoping to scare users into clicking fake Dropbox links. These links then download a binary installer for the RMM tool.

The scary part? These RMM tools, like N-able RMM Remote Access and PDQ Connect, give attackers the power to read and write files on your system.

And it doesn't stop there. In some cases, the attackers use the initial RMM software to download and install even more tools, like ScreenConnect, solidifying their control.

Who's being targeted? It seems like the attackers are going after C-level executives, as well as folks in finance and HR, across various industries. Even educational and government institutions are in the crosshairs.

The researchers believe this is the work of an initial access broker (IAB), someone who specializes in breaking into systems and then selling that access to others. They're taking advantage of free trial periods for RMM programs. The good news is that N-able has already taken action to shut down the affected trial accounts.

Venere warns that "Adversaries' abuse of commercial RMM tools has steadily increased in recent years." He adds, "These tools are appealing because they're often digitally signed by trusted companies and act as fully functional backdoors. Plus, the trial versions often provide the software and infrastructure for free."

This campaign is just one example of the growing number of phishing attacks designed to bypass security and spread malware or steal credentials. Here are a few other recent threats to be aware of:

• Hive0148: A South American group is using Hive0148 to spread the Grandoreiro banking trojan in Mexico and Costa Rica.
• GetShared Abuse: Attackers are using the legitimate file-sharing service GetShared to bypass security and deliver malware.
• Sales Order Lures: Phishing emails with sales order themes are being used to deliver the Formbook malware by exploiting an old flaw in Equation Editor (CVE-2017-11882).
• Ratty RAT: Invoice-themed attacks are targeting organizations in Spain, Italy, and Portugal with a Java-based remote access trojan called Ratty RAT.
• Tycoon 2FA: Attackers are using the note-taking app Milanote and a phishing kit called Tycoon 2FA to steal credentials under the guise of a "new agreement". Learn more here.
• Encoded JavaScript: Various campaigns are utilizing encoded JavaScript, booby-trapped links in PDFs, dynamic phishing URLs, and archived MHT payloads.
• Cloudflare Tunneling Abuse: Attackers are abusing Cloudflare's TryCloudflare tunneling feature to deploy malware like AsyncRAT.

As Intezer researcher Yuval Guri points out, "Attackers continuously evolve tactics to bypass modern email and endpoint security solutions, making detecting and mitigating phishing attempts increasingly difficult. And despite advancements in cybersecurity tools, many phishing campaigns still successfully reach users' inboxes."