Threat actors are abusing legitimate remote monitoring tools to hide inside corporate networks and launch ransomware attacks.
Net Monitor for Employees Professional is a commercial workforce monitoring tool by NetworkLookout that offers remote screen viewing, full remote control, file management, shell command execution, and stealth deployment.
While intended for productivity oversight, these rich administrative capabilities make it behave much like a remote access trojan (RAT) in the wrong hands.
SimpleHelp, another legitimate remote monitoring and management (RMM) platform, has also been widely abused by threat actors as a persistence and post-exploitation tool, especially when exposed or unpatched.
In late January and early February 2026, Huntress analysts observed two intrusions where attackers chained these tools together to gain and maintain access, then attempted to deploy Crazy ransomware, a variant of the VoidCrypt family.
Shared filenames, overlapping command-and-control (C2) infrastructure, and consistent techniques strongly point to a single operator or group behind both incidents.
Case #1: From monitoring to ransomware
In the first case, the intrusion was first detected via suspicious account manipulation on a host, with repeated net commands used to enumerate users, reset passwords, and attempt to enable the built-in Administrator account.
The activity was traced back to Net Monitor for Employees, which silently bundled a pseudo-terminal component (winpty-agent.exe) used for hands-on keyboard commands rather than passive monitoring.
SimpleHelp was then used to run further commands, including attempts to tamper with Windows Defender settings to weaken defenses.
Finally, the threat actor tried to deploy Crazy ransomware, dropping multiple copies of a binary named encrypt.exe under slightly different filenames, suggesting repeated failed execution attempts.
In the second case, the attacker began by using a compromised vendor SSL VPN account to access the victim environment, then connected via Remote Desktop to a domain controller and launched an interactive PowerShell session.
Through this shell, the attacker downloaded a file named vhost.exe via PowerShell from 160.191.182[.]41, which turned out to be a SimpleHelp binary configured to connect to 192.144.34[.]42 as a C2 server.
They installed the Net Monitor for Employees agent using msiexec directly from the official website, configuring it for reverse connection over port 443 to attacker infrastructure, including the domain dronemaker[.]org and IP 104.145.210[.]13.
During installation, the attacker abused built-in options to disguise the agent as Microsoft OneDrive, registering the service as OneDriveSvc, naming the service process OneDriver.exe, and renaming the running binary to svchost.exe, a common Windows system process.
They then installed SimpleHelp as a service under C:ProgramDataJWrapper-Remote Access, configuring multiple gateways (telesupportgroup[.]com, dronemaker[.]org, 192.144.34[.]42, 192.144.34[.]35, microuptime[.]com) for redundancy; dronemaker[.]org reappeared here, tying both tools to the same infrastructure.
Telemetry showed the same vhost.exe filename reused for the SimpleHelp agent and revealed keyword-based monitoring triggers focused on cryptocurrency wallets, exchanges, blockchain explorers, and payment platforms, as well as remote access tools like RDP, AnyDesk, TeamViewer, and VNC.
This configuration indicates the operator’s motivation extended beyond ransomware to direct cryptocurrency theft and real-time monitoring of active user sessions on compromised systems.
Implications
Across both cases, Net Monitor’s built-in shell execution (via winpty-agent.exe) was used for network reconnaissance, running commands like ping and ipconfig /all to map internal segments and understand the environment.
The attacker later reconfigured the Net Monitor agent to add an additional C2 server endpoint at 192.144.34[.]35:443, further improving resilience.
When combined with SimpleHelp’s lightweight agent and multi-gateway design, the result is a dual-tool foothold that looks almost identical to ordinary IT administration activity.
The shared use of dronemaker[.]org as both a Net Monitor C2 and a SimpleHelp gateway, the reuse of vhost.exe, and overlapping IP infrastructure all strengthen the assessment that a single threat actor or group is behind this campaign.
Their objectives appear twofold: deploy Crazy ransomware for extortion and capture cryptocurrency-related activity for direct financial gain.
To counter similar attacks, organizations should enforce multi-factor authentication on all remote access services and administrative accounts, harden and monitor VPN and RDP gateways, and strictly limit who can use remote admin tools.
Network segmentation should be used to prevent a single compromised host from exposing entire domains, and security teams should baseline and continuously monitor the use of legitimate RMM and employee monitoring software, flagging new installations, renamed services, or unexpected outbound connections.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
