Kickidler Employee Monitoring Software Abused in Ransomware Attacks
Summary:
Ransomware affiliates, including those linked to Qilin and Hunters International, have been observed using the legitimate employee monitoring software Kickidler as a stealthy reconnaissance tool after breaching enterprise networks. Kickidler, widely used by over 5,000 organizations across 60 countries, offers real-time visual monitoring, keystroke logging, screen recording, and data loss prevention features that attackers are now exploiting to silently monitor victims, steal credentials, and locate sensitive assets such as off-site cloud backups. This trend was highlighted by security firms Varonis and Synacktiv, who found that attackers install Kickidler to persist within compromised environments while avoiding traditional detection methods such as memory scraping or credential dumping.
The initial infection chain in these attacks begins with malicious Ads targeting users searching for “RVTools,” a free utility for managing VMware vSphere environments. Victims who clicked the ads were redirected to a typosquatted domain that hosted a trojanized version of RVTools. This malicious version functions as a malware loader, which downloads and executes a PowerShell-based .NET backdoor called SMOKEDHAM. Once executed, SMOKEDHAM facilitates the deployment of Kickidler, granting attackers persistent visual access to the system, including the ability to record administrator credentials and online activity in real time.Varonis researchers believe that this method allowed attackers to remain inside victim networks for extended periods, sometimes days or weeks, gathering enough intelligence and credentials to breach cloud-based backup systems. This approach is particularly effective against backup environments that have been decoupled from Windows domain authentication—a defensive measure many organizations have implemented to protect against ransomware threats. Kickidler’s ability to log keystrokes and record web activity enables adversaries to bypass this separation and access sensitive backup environments without triggering high-risk alerts.
Security Officer Comments:
Once sufficient intelligence is gathered, the threat actors resume malicious operations by deploying ransomware payloads, specifically targeting VMware ESXi infrastructure. According to Synacktiv, the Hunters International group utilized VMware PowerCLI scripts along with WinSCP automation to enable SSH services on ESXi hosts, upload the ransomware payload, and execute the attack. The ransomware encrypted VMDK files, leading to major operational disruptions across affected environments.
Suggested Corrections:
To defend against potential security breaches, network defenders are advised to audit installed remote access tools and identify authorized RMM software. It's also recommended to use application controls to prevent the execution of unauthorized RMM software and to enforce the use of only authorized remote desktop tools, along with approved remote access solutions such as VPN or VDI. Additionally, security teams should block inbound and outbound connections on standard RMM ports and protocols if not used.
Link(s):
https://www.bleepingcomputer.com/ne...toring-software-abused-in-ransomware-attacks/
Ransomware affiliates, including those linked to Qilin and Hunters International, have been observed using the legitimate employee monitoring software Kickidler as a stealthy reconnaissance tool after breaching enterprise networks. Kickidler, widely used by over 5,000 organizations across 60 countries, offers real-time visual monitoring, keystroke logging, screen recording, and data loss prevention features that attackers are now exploiting to silently monitor victims, steal credentials, and locate sensitive assets such as off-site cloud backups. This trend was highlighted by security firms Varonis and Synacktiv, who found that attackers install Kickidler to persist within compromised environments while avoiding traditional detection methods such as memory scraping or credential dumping.
The initial infection chain in these attacks begins with malicious Ads targeting users searching for “RVTools,” a free utility for managing VMware vSphere environments. Victims who clicked the ads were redirected to a typosquatted domain that hosted a trojanized version of RVTools. This malicious version functions as a malware loader, which downloads and executes a PowerShell-based .NET backdoor called SMOKEDHAM. Once executed, SMOKEDHAM facilitates the deployment of Kickidler, granting attackers persistent visual access to the system, including the ability to record administrator credentials and online activity in real time.Varonis researchers believe that this method allowed attackers to remain inside victim networks for extended periods, sometimes days or weeks, gathering enough intelligence and credentials to breach cloud-based backup systems. This approach is particularly effective against backup environments that have been decoupled from Windows domain authentication—a defensive measure many organizations have implemented to protect against ransomware threats. Kickidler’s ability to log keystrokes and record web activity enables adversaries to bypass this separation and access sensitive backup environments without triggering high-risk alerts.
Security Officer Comments:
Once sufficient intelligence is gathered, the threat actors resume malicious operations by deploying ransomware payloads, specifically targeting VMware ESXi infrastructure. According to Synacktiv, the Hunters International group utilized VMware PowerCLI scripts along with WinSCP automation to enable SSH services on ESXi hosts, upload the ransomware payload, and execute the attack. The ransomware encrypted VMDK files, leading to major operational disruptions across affected environments.
Suggested Corrections:
To defend against potential security breaches, network defenders are advised to audit installed remote access tools and identify authorized RMM software. It's also recommended to use application controls to prevent the execution of unauthorized RMM software and to enforce the use of only authorized remote desktop tools, along with approved remote access solutions such as VPN or VDI. Additionally, security teams should block inbound and outbound connections on standard RMM ports and protocols if not used.
Link(s):
https://www.bleepingcomputer.com/ne...toring-software-abused-in-ransomware-attacks/