Fraud Management & Cybercrime,
Governance & Risk Management,
Ransomware
VoidCrypt Ransomware Variant Exploits Remote Monitoring Tools, Reports Huntress
Recent findings from cybersecurity firm Huntress reveal that employee monitoring software is not only advantageous for management but has also become a valuable tool for ransomware attackers. This insight follows investigations into incidents where hackers utilized Remote Monitoring and Management (RMM) tools to execute ransomware attacks.
According to a blog post published by Huntress, there were two notable incidents in early 2026 involving the exploitation of Net Monitor for Employees Professional and SimpleHelp. These tools were employed in attempts to deploy “Crazy” ransomware, a subset of the VoidCrypt family.
The research highlights specific methods employed by threat actors. They utilized Net Monitor for Employees as a primary access point, enhanced by SimpleHelp to establish a persistent foothold within compromised networks. This intertwining of monitoring capabilities and command execution functions represents a significant risk factor, as it blurs the lines between legitimate software use and potential malicious intent.
At the end of January, Huntress identified an instance where the Net Monitor software executed a terminal-like command that enabled hackers to download SimpleHelp, subsequently allowing them to issue commands such as attempting to disable Windows Defender.
In a separate incident, hackers gained access through a compromised VPN account, illustrating a more explicit attack vector. After compromising the corporate network, they downloaded Net Monitor. They configured it to connect with a command-and-control server, cleverly disguising their operations by registering the software under a common Windows service name. This tactic reflects techniques associated with the MITRE ATT&CK framework, specifically under the tactics of Initial Access and Persistence.
Moreover, during their operations, hackers utilized built-in configurations to create confusion on the infected systems, masking their activities while searching for terms related to cryptocurrencies, presumably to identify any ongoing connections to their operations. This approach also falls under the MITRE techniques for Credential Access and Discovery.
The instances reported by Huntress are not isolated. Cybersecurity firm Arctic Wolf observed similar utilization of RMM tools in 2025, marking a trend where RMM software serves as both an asset for legitimate remote management and a point of entry for cybercriminal operations. Experts caution organizations to tighten their cybersecurity protocols around RMM tools to mitigate these evolving threats.