Find notable cyber news and cases, enriched with sources, timelines, and signals.

Crazy ransomware gang Net Monitor for Employees Professional and SimpleHelp persistence campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Crazy ransomware gang is running a remote-access persistence campaign that uses legitimate monitoring and support tools to keep footholds inside corporate networks, raising the risk of ransomware deployment. Researchers observed the operators pair Net Monitor for Employees Professional with SimpleHelp to blend in with normal administration while preserving access. The tradecraft includes compromised SSL VPN credentials, disguised filenames, and attempts to disable Windows Defender. In one case, the actors also monitored for cryptocurrency wallets and remote-management tools to support follow-on extortion.

Related Happenings

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Russian-speaking hacker AI-assisted FortiGate breach campaign

Campaign
H score52 First: 21.02.2026 15:50 Last: 21.02.2026 15:50 Sources 1

About this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...

Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse

Malware Activity
H score31 First: 12.02.2026 16:25 Last: 12.02.2026 16:25 Sources 1

About this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...

BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms

Campaign
H score33 First: 11.02.2026 00:17 Last: 11.02.2026 00:17 Sources 1

About this happening: **BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...

Timeline

  1. 11.02.2026 21:29 2 articles · 4mo ago

    Crazy ransomware gang expands a remote-access persistence campaign

    Campaign Scope Update

    Huntress observed multiple intrusions in which a member of the Crazy ransomware gang used Net Monitor for Employees Professional and SimpleHelp to maintain persistence in corporate networks, blend in with normal administration, and prepare for ransomware deployment. In one intrusion, attackers installed Net Monitor for Employees Professional with msiexec.exe, then downloaded and executed SimpleHelp via PowerShell using filenames such as vhost.exe and C:\ProgramData\OneDriveSvc\OneDriveSvc.exe; they also tried to enable the local administrator account and disable Windows Defender. In one incident, SimpleHelp rules were configured to watch for cryptocurrency-wallet terms and remote-management keywords such as RDP, anydesk, ultraview, teamview, and VNC, and Huntress said compromised SSL VPN credentials enabled both breaches while reused vhost.exe and overlapping C2 infrastructure suggested the same operator was behind both cases.

    Show sources