In brief
- Workplace monitoring software tools are being targeted by ransomware hackers, according to cybersecurity firm Huntress.
- A new report found that threat actors chained employee monitoring software with remote management tools to gain persistence in companies’ systems.
- The widespread use of ‘bossware’ has expanded the potential attack surface for enterprises.
A popular workforce monitoring tool is being targeted by hackers and used as a foothold for ransomware attacks, according to a new report from cybersecurity firm Huntress.
In late January and early February 2026, Huntress’ Tactical Response team investigated two break-ins in which attackers combined Net Monitor for Employees Professional with SimpleHelp, a remote access tool used by IT departments.
According to the report, the hackers used the employee monitoring software to get into company systems and SimpleHelp to make sure they could stay there even if one access point was shut down. The activity eventually led to an attempted deployment of Crazy ransomware.
“These cases highlight a growing trend of threat actors leveraging legitimate, commercially available software to blend into enterprise environments,” Huntress researchers wrote.
“Net Monitor for Employees Professional, while marketed as a workforce monitoring tool, provides capabilities that rival traditional remote access trojans: reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms. When paired with SimpleHelp as a secondary access channel … the result is a resilient, dual-tool foothold that is difficult to distinguish from legitimate administrative software.”
The company added that while the tools may be novel, the root cause remains exposed perimeters and weak identity hygiene, including compromised VPN accounts.
The rise of “bossware”
Use of so-called “bossware” varies globally but is widespread. Around a third of UK firms use employee monitoring software, according to a report last year, while in the U.S. the figure is estimated at roughly 60%.
The software is commonly deployed to track productivity, log activity and capture screenshots of workers’ screens. But its use is controversial, as are claims about whether it truly captures employee productivity or instead assesses based on arbitrary criteria such as mouse clicks or emails sent.
Nevertheless, their popularity makes such tools an attractive vector for attackers. Net Monitor for Employees Professional, developed by NetworkLookout, is marketed for employee productivity tracking but offers capabilities beyond passive screen monitoring, including reverse shell connections, remote desktop control, file management and the ability to customize service and process names during installation.
Those features, designed for legitimate administrative use, can allow threat actors to blend into enterprise environments without deploying traditional malware.
In the first case detailed by Huntress, investigators were alerted by suspicious account manipulation on a host, including efforts to disable the system Guest account and enable the built-in Administrator account. Multiple “net” commands were executed to enumerate users, reset passwords and create additional accounts.
Analysts traced the activity to a binary tied to Net Monitor for Employees, which had spawned a pseudo-terminal application allowing command execution. The tool pulled down a SimpleHelp binary from an external IP address, after which the attacker attempted to tamper with Windows Defender and deploy multiple versions of Crazy ransomware, part of the VoidCrypt family.
In the second intrusion, observed in early February, the attackers gained entry through a compromised vendor’s SSL VPN account and connected via Remote Desktop Protocol to a domain controller. From there, they installed the Net Monitor agent directly from the vendor’s website. The attackers customized service and process names to mimic legitimate Windows components, disguising the service as OneDrive-related and renaming the running process.
They then installed SimpleHelp as an additional persistent channel and configured keyword-based monitoring triggers targeting cryptocurrency wallets, exchanges and payment platforms, as well as other remote access tools. Huntress said the activity showed clear signs of financial motivation and deliberate defense evasion.
Network LookOut, the company behind Net Monitor for Employee, told Decrypt the agent can be installed only by a user who already has administrative privileges on the computer where the agent is to be installed. “Without administrative privileges, installation isn’t possible,” it said via email.
“So, if you don’t want our software installed on a computer, please ensure that administrative access is not granted to unauthorized users, since Administrative access allows installation of any software.”
It’s not the first time hackers have attempted to deploy ransomware or steal information via bossware. In April 2025, researchers revealed that WorkComposer, a workplace surveillance app used by more than 200,000 people, had left more than 21 million real-time screenshots exposed in an unsecured cloud storage bucket, potentially leaking sensitive business data, credentials and internal communications.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
