Crazy ransomware gang Net Monitor for Employees Professional and SimpleHelp persistence campaign
Campaign
Summary
Hide ▲
Show ▼
Crazy ransomware gang is running a remote-access persistence campaign that uses legitimate monitoring and support tools to keep footholds inside corporate networks, raising the risk of ransomware deployment. Researchers observed the operators pair Net Monitor for Employees Professional with SimpleHelp to blend in with normal administration while preserving access. The tradecraft includes compromised SSL VPN credentials, disguised filenames, and attempts to disable Windows Defender. In one case, the actors also monitored for cryptocurrency wallets and remote-management tools to support follow-on extortion.
Related Happenings
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
H score52
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
H score31
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
Campaign
H score33
First: 11.02.2026 00:17
Last: 11.02.2026 00:17
Sources 1
About this happening:
**BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
CampaignAbout this happening: **BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
Timeline
-
11.02.2026 21:29 2 articles · 4mo ago
Crazy ransomware gang expands a remote-access persistence campaign
Campaign Scope UpdateHuntress observed multiple intrusions in which a member of the Crazy ransomware gang used Net Monitor for Employees Professional and SimpleHelp to maintain persistence in corporate networks, blend in with normal administration, and prepare for ransomware deployment. In one intrusion, attackers installed Net Monitor for Employees Professional with msiexec.exe, then downloaded and executed SimpleHelp via PowerShell using filenames such as vhost.exe and C:\ProgramData\OneDriveSvc\OneDriveSvc.exe; they also tried to enable the local administrator account and disable Windows Defender. In one incident, SimpleHelp rules were configured to watch for cryptocurrency-wallet terms and remote-management keywords such as RDP, anydesk, ultraview, teamview, and VNC, and Huntress said compromised SSL VPN credentials enabled both breaches while reused vhost.exe and overlapping C2 infrastructure suggested the same operator was behind both cases.
Show sources
- Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29
- Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29