Cato CTRL™ Threat Research: From Fiscal Lures to Remote Access, A Previously Undocumented NinjaOne RMM Abuse Chain

Listen to post: Getting your Trinity Audio player ready...

Executive Summary

Update (June 19, 2026): We have confirmed that the NinjaOne-related artifact referenced in this report is no longer accessible. Our investigation did not identify a vulnerability or compromise in NinjaOne’s platform. The campaign relied on social engineering and abuse of NinjaOne remote-management software, consistent with a broader industry trend in which threat actors abuse commercial RMM tools.

Cato CTRL researchers recently identified an undocumented, active phishing campaign targeting Brazilian organizations with fake business-document lures, downloading a NinjaOne Remote Monitoring and Management (RMM) agent. The use of NinjaOne is particularly significant, underscoring how attackers no longer need exotic malware to penetrate an enterprise. Familiar business workflows and software is enough.

The campaign begins with phishing emails that redirect victims to Portuguese-language landing pages impersonating familiar Brazilian workflows, including SEFAZ-related fiscal documents, Reclame Aqui-style complaint processes, and secure document-delivery portals. After completing a fake verification process, victims are prompted to download what appears to be a protected business document. Instead, the download delivers a NinjaOne RMM agent configured to provide remote access to attacker-controlled infrastructure, highlighting a previously undocumented abuse of NinjaOne in the Brazilian threat Landscape.

The observed victim belonged to the chemicals and advanced materials sector, but the lure is broadly relevant to procurement, finance, accounting, and administrative users who routinely handle invoices, supplier communications, tax documents, and protected business correspondence. The infrastructure also includes geofencing, browser fingerprinting, sandbox detection, and user-interaction validation to restrict payload delivery and reduce exposure to researchers.

Key findings:

• Phishing links used for initial access
• Previously undocumented use of NinjaOne RMM software for remote access in the Brazilian threat landscape
• Portuguese-language phishing infrastructure targeting Brazilian users
• Business-document and secure-download social engineering themes
• Domains resembling trusted Brazilian services and workflows
• Anti-analysis, anti-bot, and geofencing protections
• Additional infrastructure discovered through non-traditional threat hunting

At the time of writing this post (June, 03, 2026), portions of the phishing infrastructure remained accessible despite our reporting of the issue to Cloudflare.

2026 Cato CTRL™ Threat Report | Download the report

Technical Details

The Phishing Email Arrives

The attack begins with phishing emails containing links hidden behind a Googleusercontent-based redirection chain, including the bc.googleusercontent.com pattern.

By placing trusted third-party infrastructure between the victim and the final phishing site, the attackers increase delivery resilience, complicate infrastructure tracking, and reduce the effectiveness of simple domain-based blocking.

After clicking the link, victims are redirected to what appears to be a secure portal used to distribute protected business documents. Throughout the attack chain, the operators reference fiscal documents, secure downloads, complaint-management processes, and protected correspondence. For employees responsible for procurement, finance, accounting, and administrative operations, these themes closely resemble everyday business activities.

The overall attack flow observed during our investigation is shown in Figure 1.

Figure 1. Attack flow from phishing to remote access

Abusing Trusted Business Workflows

One of the most notable aspects of the campaign is how closely social engineering aligns with real-world business processes.

The observed victim organization operates within the Chemicals and Advanced Materials sector. Employees in these environments routinely exchange invoices, supplier communications, customs documentation, tax records, procurement forms, and regulatory paperwork.

The phishing workflow appears designed to exploit this familiarity. Rather than relying on password-reset requests or account-compromise notifications, the attackers use themes that naturally fit within normal business operations. Victims are encouraged to review protected documents, fiscal records, complaint notifications, or business correspondence that appear relevant to their responsibilities.

We identified multiple domains designed to evoke trust through association with well-known Brazilian services. Among them were sefaz[.]services and reclameaqui[.]services.

The term SEFAZ (Secretaria da Fazenda) is widely recognized in Brazil because it is closely associated with tax administration and electronic fiscal documents. As a result, references to SEFAZ appear familiar to employees working in procurement, finance, accounting, logistics, and administrative roles. Similarly, Reclame Aqui is one of Brazil’s best-known consumer complaint and reputation platforms. Emails referencing complaints or related documentation may therefore appear legitimate to employees responsible for customer relations, compliance, procurement, or business operations.

The phishing pages combine visual and linguistic trust signals familiar to Brazilian business users, including fiscal-document language, secure-download messaging, human verification, complaint-management themes, and domains resembling known Brazilian services. The use of terms such as “Documento Fiscal”, “Download Seguro”, and “Verificação de Segurança” creates a familiar experience for users who regularly interact with invoices, supplier communications, tax documents, and protected business correspondence.

The effectiveness of the campaign does not rely on technical sophistication alone. The operators demonstrate a strong understanding of Brazilian business processes and selected themes that many employees encounter as part of their daily responsibilities. By aligning the phishing workflow with familiar activities such as reviewing fiscal documents, handling supplier communications, or responding to complaints, the attackers significantly increase the likelihood of user cooperation.

One of the Portuguese-language phishing portals identified during the campaign is shown in Figure 2.

Figure 2. Portuguese-language phishing portal

The Victim Is Directed to a Secure Download Portal

After navigating the redirection chain, victims arrive at a phishing portal that presents itself as a secure document-delivery service.

The portal heavily emphasizes trust, security, and document protection. Visitors are informed that the requested document is protected and that verification is required before access can be granted.

We identified infrastructure that references themes associated with well-known Brazilian business workflows, including fiscal-document ecosystems and complaint-management services.

For many users, particularly those responsible for procurement and financial processes, the experience appears entirely plausible.

Nothing immediately suggests that the user is about to install remote access software.

An example of the “Download Seguro” themed infrastructure is shown in Figure 3.

Figure 3. Download Seguro themed portal used to distribute the payload

One of the more interesting implementation details is how simple the final download mechanism actually is. Rather than generating dynamic download links or relying on complex token-based delivery, the payload is retrieved through a direct query parameter:

?download=1

The download button simply references:

<a class=”btn btn-primary” href=”?download=1″>

This implementation suggests that the operators invested far more effort in social engineering than in payload protection. Once a victim trusts the portal and clicks the download button, the infrastructure delivers the installer without requiring sophisticated download-generation logic. (Figure4)

Figure 4. Direct payload download

The social engineering succeeds because the workflow feels routine. Users are not asked to enter credentials or disable security controls. Instead, they are simply encouraged to retrieve what appears to be a protected business document. The next stage of the attack reveals the true objective of the operation.

The Download Is Not a Document

Up to this point, the attack remains entirely focused on social engineering. The victim has interacted with phishing emails, redirection infrastructure, and fake document-delivery workflows, but has not yet installed any software. The next stage transitions from phishing-based initial access to remote access through a RMM platform. The most important aspect of the campaign is the final payload. At this point, the victim believes they are downloading a protected business document. The document never arrives. Instead, the download contains a NinjaOne installer configured to connect to attacker-controlled infrastructure. Once installed, the agent provides remote access capabilities that allow the operators to interact with the compromised system using a trusted enterprise management platform. This transition from document delivery to remote access software installation represents the core deception of the campaign. Throughout the phishing workflow, the operators invest significant effort in convincing the victim that they are interacting with a trusted business process. By the time the download occurs, many users have little reason to suspect malicious activity. An example of the downloaded file is shown in Figure 5.

Figure 5. NinjaOne installer disguised as a fiscal documentNinjaOne installer disguised as a fiscal document

observed filename was:

NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64

The filename reinforces the fiscal-document narrative established throughout the attack chain. Unlike traditional phishing campaigns that deliver malware directly, this operation relies on operator-guided social engineering: the victim is called and instructed to install what appears to be required software, but the installer is actually a NinjaOne agent configured for attacker-controlled remote access.

Why NinjaOne?

The selection of NinjaOne appears deliberate. NinjaOne is a legitimate enterprise-grade Remote Monitoring and Management (RMM) platform used by Managed Service Providers (MSPs), IT departments, and enterprise administrators. According to the NinjaOne RMM platform documentation, the platform provides centralized endpoint management capabilities including device monitoring, software deployment, patch management, remote administration, file transfer, scripting, and troubleshooting. The company also maintains Portuguese-language resources, making the platform potentially more familiar to Portuguese-speaking IT teams than unknown remote-access tools.

The same features that make NinjaOne valuable for IT administrators also make it attractive to threat actors as we present in Table 1.

Table 1: Legitimate administrative capabilities versus potential attacker abuse of NinjaOne.

NinjaOne Capability	Legitimate Administrative Use	Potential Attacker Benefit
Endpoint monitoring	Monitor endpoint health and status	Identify active systems and gather reconnaissance
Software deployment	Deploy approved applications	Deploy additional attacker-controlled tools
Patch management	Maintain software updates	Blend activity into legitimate administrative operations
Asset inventory	Track managed devices	Identify valuable systems and users
Remote troubleshooting	Resolve user and system issues	Obtain interactive access to victim endpoints
Remote shell access	Execute administrative commands	Execute commands directly on compromised systems
File transfer	Move files between systems	Upload tools or retrieve sensitive files
Automation and scripting	Automate administrative tasks	Execute scripts and automate post-compromise actions

Once a victim installs an attacker-controlled NinjaOne agent, the operator can leverage these legitimate administrative capabilities to establish persistent remote access, conduct reconnaissance, execute commands, transfer files, deploy additional tooling, and potentially facilitate lateral movement within the environment. Because the software is legitimate, digitally signed, and commonly encountered in enterprise environments, it may generate less suspicion than traditional malware.

The use of legitimate RMM software aligns with a broader trend highlighted by the CISA, NSA, and MS-ISAC advisory on malicious use of Remote Monitoring and Management software, which warns that threat actors increasingly abuse commercial remote-management platforms to establish persistence and maintain remote access within victim environments.

Consistent Infrastructure Design

While analyzing the landing pages, we identified a consistent URI structure across the phishing infrastructure:

http://<domain>/document/<number>

The numeric suffix determines which landing page variant is delivered.

| URI Pattern | Function |
|————|————|
| /document/1 | Download Seguro workflow |
| /document/4 | Download Seguro workflow |
| /document/2 | Anti-analysis workflow |
| /document/3 | Anti-analysis workflow |

The consistent URI structure and behavioral differences suggest the operators maintain multiple landing page templates within the same delivery ecosystem.

The Download Seguro pages focus primarily on user trust and payload delivery, while the alternative pages incorporate additional filtering, anti-bot controls, and automated-analysis protections. This separation allows the operators to present different experiences depending on the victim and access conditions.

We also observed that the phishing infrastructure was positioned behind Cloudflare. This means the public-facing domain did not directly expose the server hosting the phishing pages, making it harder to identify and track the backend infrastructure. The responsible disclosure timeline is included below.

Not All Visitors Reach the Payload

As we continued investigating the infrastructure, an interesting pattern emerged. Not all visitors were presented with the same phishing experience. Some users encountered a relatively straightforward document-delivery portal focused primarily on social engineering. Others were directed to a far more restrictive environment designed to identify security researchers, automated scanners, and analysis systems before allowing access to the payload.

The campaign appears heavily focused on Brazilian targets. During testing, payload delivery was only made available when requests originated from Brazilian IP ranges. This behavior is illustrated in Figure 6.

Figure 6. Payload delivery restricted to visitors originating from Brazil

This geofencing likely serves multiple purposes:

• Limiting exposure to researchers
• Reducing automated scanning visibility
• Improving targeting efficiency
• Extending infrastructure lifespan

While the phishing pages themselves remain accessible from other locations, the final payload delivery stage is selectively restricted. This approach allows the operators to maintain broader visibility for potential victims while reducing opportunities for researchers and automated systems to retrieve the installer.

The more restrictive infrastructure also contains significantly more sophisticated anti-analysis protections, including browser fingerprinting, sandbox detection, and user-interaction validation mechanisms. These controls provide additional insight into the operational maturity of the campaign and are discussed in the following section.

The JavaScript Reveals the Operator’s Intent

The most revealing aspect of the infrastructure was not the phishing page itself, but the developer comments embedded within the JavaScript code. These comments provide unusual insight into the operator’s objectives and reveal deliberate efforts to identify real victims while excluding researchers, crawlers, and automated analysis platforms.

The attack chain begins with a self-contained JavaScript loader responsible for initializing anti-analysis variables and preparing the payload delivery workflow. An example of this initialization logic is shown in Figure 7.

Figure 7. JavaScript loader and anti-analysis initialization

The infrastructure then evaluates visitors using browser fingerprinting techniques designed to identify automation frameworks and analysis environments. During our analysis, we observed checks targeting Selenium, Puppeteer, Playwright, WebDriver artifacts, PhantomJS, Nightmare, and other indicators commonly associated with automated analysis platforms.

The infrastructure also calculates a visitor risk score using browser fingerprinting artifacts, automation indicators, browser capabilities, and environmental checks before permitting payload retrieval. This allows the operators to evaluate visitors before exposing the final payload. The browser fingerprinting and sandbox-detection logic is shown in Figure 8.

Figure 8. Browser fingerprinting and sandbox detection

The code also incorporates honeypot validation mechanisms designed to identify automated scanners and scripted interactions. One of the embedded Portuguese comments explicitly states:

“Bot preencheu o honeypot” which translates to: “The bot filled the honeypot.”

This comment provides direct evidence that the operators intentionally designed the infrastructure to distinguish between legitimate victims and automated analysis systems. The honeypot logic is shown in Figure 9.

Figure 9. Honeypot validation logic

The infrastructure goes beyond traditional bot detection by validating user presence through behavioral analysis. We observed tracking of mouse movement, scrolling activity, touch interactions, and other indicators intended to verify that a real user is interacting with the page. The human-presence validation logic is shown in Figure 10.

Figure 10. User-presence validation

Additional comments indicate that the operators specifically evaluated touch-enabled devices as part of the validation process. This suggests an effort to distinguish legitimate mobile users from automated analysis environments while minimizing false positives.

The phishing workflow itself is carefully structured to create the impression of a legitimate document-verification process. Victims are guided through multiple stages that simulate document processing, verification, and download preparation. An example of this workflow is shown in Figure 11.

Figure 11. Simulated document-validation workflow

Once validation is complete, the infrastructure retrieves the payload using a hidden iframe. This approach allows the download to occur without visibly redirecting the victim away from the phishing page. In Figure 12 we show the main execution path that blocks suspicious sessions before silently downloading the payload through a hidden iframe while keeping the victim on the same page.

Figure 12. Gated Payload delivery

The infrastructure also contains artifact-cleanup logic designed to remove temporary elements after payload delivery. During analysis, we observed the hidden iframe being removed approximately 30 seconds after execution, reducing visible indicators and making simple inspection techniques more difficult.

Additional comments indicate attempts to prevent inspection through actions such as disabling right-click functionality on download elements. An example of this cleanup logic is shown in Figures 13 and 14.

Figure 13. Retry Delivery & Artifact Cleanup

Figure 14. Artifact cleanup and anti-inspection controls

Taken together, these mechanisms demonstrate a clear investment in operational security. The operators are not simply attempting to deliver a payload. They are actively working to identify real victims, frustrate automated analysis, and limit visibility into the campaign.

The Clue Hidden in Plain Sight

Most infrastructure investigations begin with traditional indicators such as domains, IP addresses, TLS certificates, WHOIS records, or malware samples.

In this case, the breakthrough that allowed us to expand visibility into the campaign came from a far simpler artifact: a wallpaper image.

While investigating the infrastructure, we noticed that multiple attacker-controlled domains displayed the same Earth-themed wallpaper when accessed without the document-delivery URI. Rather than presenting a blank page or server error, the domains displayed an image focused on the Americas. The shared wallpaper is shown in Figure 15.

Figure 15. Shared wallpaper image discovered across multiple attacker-controlled domains

At first glance, the image appeared completely benign. However, attackers frequently reuse deployment templates, frontend assets, images, and placeholder content across infrastructure. These seemingly insignificant artifacts can become valuable pivots for threat hunting.

By pivoting on the wallpaper filename, we identified additional domains associated with the campaign.

This investigation serves as a reminder that infrastructure hunting is not always driven by malware analysis or complex graph analytics. Sometimes the most valuable pivot is an operational shortcut the attacker forgot to remove. The resulting infrastructure expansion is shown in Figure 16.

Figure 16. Additional infrastructure identified through wallpaper-based hunting techniques

This finding highlights an important lesson for defenders. Infrastructure hunting is not always driven by malware analysis or advanced clustering techniques. Small operational artifacts, including images, CSS files, JavaScript components, and placeholder content, can expose relationships between otherwise disconnected infrastructure. Despite the campaign’s investment in anti-analysis protections, a simple reused image ultimately provided visibility into a broader portion of the attack ecosystem.

Possible Links to Previously Observed Brazilian Threat Activity

During the investigation, we identified several overlaps between the infrastructure used in this campaign and infrastructure previously associated with Venon RAT activity targeting Brazilian users.

Our analysis uncovered visual assets and infrastructure characteristics that appear across both operations. We also identified command-and-control infrastructure overlaps that suggest a potential operational relationship.

Venon RAT was previously documented by Zenox Research as a Brazilian threat operation leveraging Rust-based malware.

While the observed overlaps do not provide sufficient evidence for definitive attribution, they suggest a potential operational relationship between the current campaign and infrastructure previously associated with Venon RAT activity.

The findings may indicate shared infrastructure resources, infrastructure reuse, or participation within the same broader Brazilian cybercrime ecosystem. Further activity would be required to establish a stronger attribution assessment.

Responsible Disclosure Timeline

After identifying the malicious infrastructure, we reported the activity to Cloudflare because parts of the phishing infrastructure were positioned behind Cloudflare services.

• May 24, 2026: We identified the phishing infrastructure and confirmed the NinjaOne delivery flow.
• June 03, 2026: We reported the malicious infrastructure to Cloudflare for review.
• June 03, 2026: Cloudflare responded: “We could not detect any abusive or malicious content.” / “Your abuse report has been forwarded to the website owner.” / “The URLs included in your report are no longer accessible”
• June 04, 2026: At the time of writing, portions of the infrastructure remained accessible.

Cato Protections

Cato customers are protected against this activity through multiple security layers.

During the investigation, the identified infrastructure was incorporated into Cato threat intelligence feeds and blocked through IPS protections and newly registered domain detections. In addition, Cato MDR provides 24/7 threat monitoring, investigation, and response for suspicious activity involving remote-access tools and attacker-controlled infrastructure.

These controls help prevent communication with known malicious infrastructure while reducing exposure to newly established domains commonly used during phishing operations. An example of campaign-related detections is shown in Figure 17.

Figure 17. Example detections generated by Cato protections against the campaign

Organizations should monitor for unauthorized installation of remote management software and validate unexpected requests involving fiscal documents, supplier communications, complaint notifications, and secure-document delivery workflows.

Particular attention should be given to situations where users are instructed to install software in order to access documents or complete business processes. While the software itself may be legitimate, the installation may provide attackers with persistent remote access to the environment.

In a previous blog, we also provided an example for the detection of attacks related to RMM, and how Cato detects the resulting RMM network signal and generates an alert.

Conclusion

This campaign shows how attackers can establish remote access without relying on traditional malware. By combining phishing-based initial access with familiar Brazilian business workflows and a NinjaOne RMM agent, the operators created a workflow that could appear routine to procurement, finance, and administrative users.

The use of geofencing, anti-bot logic, sandbox checks, and hidden download mechanisms shows a clear effort to protect the campaign from researchers and automated analysis. Despite these controls, a seemingly harmless wallpaper image provided a valuable pivot that exposed additional infrastructure associated with the campaign.

The key takeaway is clear: attackers no longer need custom malware to gain a foothold. By abusing familiar business workflows and legitimate enterprise software, they can turn routine user actions into remote access opportunities.

Indicators of Compromise

Domains

r64[.]org

hairdb[.]com

lazybearpottery[.]net

rectalmania[.]com

sefaz[.]services

reclameaqui[.]services

MITRE ATT&CK

Tactic	Technique	ATT&CK ID
Initial Access	Phishing: Spearphishing Link	T1566.002
Execution	User Execution: Malicious File	T1204.002
Defense Evasion	Virtualization/Sandbox Evasion: System Checks	T1497.001
Defense Evasion	Virtualization/Sandbox Evasion: User Activity Based Checks	T1497.002
Defense Evasion	Obfuscated Files or Information	T1027
Defense Evasion	Indicator Removal on Host	T1070
Reconnaissance	Gather Victim Network Information: Geolocation	T1590.005
Command and Control	Ingress Tool Transfer	T1105
Command and Control	Remote Access Software	T1219