VERY IMPORTANT

Threat actors have been observed exploiting Net Monitor for Employees Professional and SimpleHelp software in ransomware operations. These legitimate tools were used for remote access, command execution, and persistence. The attackers disguised Net Monitor as Microsoft OneDrive and configured SimpleHelp with cryptocurrency-related keyword triggers. In one case, the attack led to an attempted deployment of Crazy ransomware. The intrusions involved initial access through compromised VPN accounts, followed by the installation of these tools for remote control and monitoring. The shared infrastructure and tactics suggest a single threat actor or group behind these activities, with objectives including cryptocurrency theft and ransomware deployment.