← All stories

Huntress

Employee Monitoring and SimpleHelp Software Abused in | Huntress

2026-02-11 · Read original ↗

ATT&CK techniques detected

20 predictions

T1219Remote Access Tools

99%

", support for gateway redundancy, and ability to operate over common ports. in the cases observed, threat actors used these two tools together, using net monitor for employees as a primary remote access channel and simplehelp as a redundant persistence layer, ultimately leading t…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

99%

"employee monitoring and simplehelp software abused in | huntress special thanks to tanner filip, nick roddy, matt anderson, and craig sweeney for their tireless efforts in triaging and iterating on detections for this activity. background net monitor for employees professional is…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1036.004Masquerade Task or Service

99%

". 210 [. ] 13. to further evade detection, the attacker took advantage of the installer ' s built - in configuration parameters, which allow customization of service and process names during deployment, to disguise the agent as a legitimate system process. the windows service was…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

95%

"connect to : 192. 144. 34 [. ] 42 from this point, the threat actor proceeded to execute various commands through the simplehelp rmm, including attempts at defense evasion via windows defender tampering : figure 5 : screenshot of attempted defender tampering via windows registry …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

89%

"executed ping commands to probe internal network segments, as well as ipconfig / all to enumerate the host ' s network configuration. winpty - agent. exe is not unique to net monitor for employees professional and is commonly found across other rmm tools, including simplehelp and…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

85%

". looking at the various process execution events on the host, we noted that the executable winpty - agent. exe was actually spawned from a binary called lsa. exe, which belonged to a tool called “ net monitor for employees. ” while the name “ net monitor ” may imply passive moni…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

80%

"##m tools, as well as legitimate employee monitoring software. if a tool has remote command execution capabilities ( like net monitor for employees ), treat it with the same level of scrutiny as a high - privilege system administrator tool. - restrict software installation : limi…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

76%

", support for gateway redundancy, and ability to operate over common ports. in the cases observed, threat actors used these two tools together, using net monitor for employees as a primary remote access channel and simplehelp as a redundant persistence layer, ultimately leading t…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

72%

"##n ), exchanges ( binance, bybit, kucoin, bitrue, poloniex, bc. game, noones ), blockchain explorers ( etherscan, bscscan ), and the payment platform payoneer. alongside these, the agent also monitored for remote access tool keywords, including rdp, anydesk, ultraview, teamview,…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

66%

"with the threat actor dropping multiple copies of the ransomware binary, suggesting previous execution attempts failed. - the attacker disguised the net monitor agent as microsoft onedrive, registering the service as onedrivesvc, naming the process onedriver. exe, and renaming th…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1133External Remote Services

59%

"a compromised vendor ssl vpn account and a likely initial compromise that allowed the malicious installation of monitoring software, underscore the critical need for robust perimeter defenses and strong identity hygiene. recommendations to significantly reduce the risk of similar…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

56%

"connect to : 192. 144. 34 [. ] 42 from this point, the threat actor proceeded to execute various commands through the simplehelp rmm, including attempts at defense evasion via windows defender tampering : figure 5 : screenshot of attempted defender tampering via windows registry …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

51%

"figure 1 : screenshot of command line process tree, showing net commands spawned from remote monitoring tool remote management software is often used to administer user accounts, but something about this particular instance felt off, so we continued to investigate the affected en…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

44%

"connect to : 192. 144. 34 [. ] 42 from this point, the threat actor proceeded to execute various commands through the simplehelp rmm, including attempts at defense evasion via windows defender tampering : figure 5 : screenshot of attempted defender tampering via windows registry …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1071.001Web Protocols

39%

"monitoring triggers targeting cryptocurrency activity, the result is a resilient, dual - tool foothold that is difficult to distinguish from legitimate administrative software. the shared infrastructure between the two toolsets, with dronemaker [. ] org serving as both a net moni…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1199Trusted Relationship

39%

"for the victim network. one major piece missing from this investigation was the initial access portion : how did the “ net monitor for employees ” software on this network come to be compromised in the first place? unfortunately, telemetry to answer these questions was not availa…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

38%

"for the victim network. one major piece missing from this investigation was the initial access portion : how did the “ net monitor for employees ” software on this network come to be compromised in the first place? unfortunately, telemetry to answer these questions was not availa…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

37%

"a compromised vendor ssl vpn account and a likely initial compromise that allowed the malicious installation of monitoring software, underscore the critical need for robust perimeter defenses and strong identity hygiene. recommendations to significantly reduce the risk of similar…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

34%

", support for gateway redundancy, and ability to operate over common ports. in the cases observed, threat actors used these two tools together, using net monitor for employees as a primary remote access channel and simplehelp as a redundant persistence layer, ultimately leading t…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1505.004IIS Components

33%

", support for gateway redundancy, and ability to operate over common ports. in the cases observed, threat actors used these two tools together, using net monitor for employees as a primary remote access channel and simplehelp as a redundant persistence layer, ultimately leading t…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Huntress uncovers ransomware operations abusing employee monitoring software and SimpleHelp RMM for persistence, and ransomware deployment.