IOC Radar
TLP:WHITE5 IOCs

Hackers Use Fake Fiscal Documents to Deliver NinjaOne RMM Agent for Remote Access

CP
Cyber Press
Published June 12, 2026Original Report

Threat Actors

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYAPT41INFRASTRUCTUREsefaz.serviceslazybearpottery.netrectalmania.comCAPABILITYunknownVICTIMunknown
Adversary(1)
Infrastructure(5)
Capability
Victim

Attack Flow7 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1566
1/7
Phishing
ActionSend phishing emails
Attackers send phishing emails with links to realistic, Portuguese-language web portals impersonating Brazilian services.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise5

TypeIndicatorConfidenceScoreFirst Seen
Domainsefaz.services
intel-blognetworkphishing
High
58
Jun 12, 26
Domainlazybearpottery.net
indicatorintel-blognetwork
High
58
Jun 12, 26
Domainrectalmania.com
intel-blognetworkphishing
High
58
Jun 12, 26
Domainhairdb.com
indicatorintel-blognetwork
High
58
Jun 12, 26
Domainr64.org
indicatorintel-blognetwork
High
58
Jun 12, 26

IOC Relationship Graph

IOC Relationship Graph5 total IOCs
Domain
Domain5Actors1REPORTHackers Use Fake Fiscal DoAPT41
scroll to zoom · drag to pan · click IOC to open