Security researchers have uncovered a coordinated malware distribution campaign that uses deceptively simple social engineering to gain remote access to victim systems. Rather than exploiting software vulnerabilities, this threat relies on convincing users to trust what appears to be an innocuous voicemail notification — ultimately installing a remote monitoring and management (RMM) agent that hands attackers persistent access to the compromised device.

A Convincing Lure Masquerades as Voicemail

The campaign was first observed by Censys on January 12, 2026, and involves at least 86 distinct web properties that host German-language voicemail themed landing pages. Each page mimics a routine “new voice message” notification, complete with minimal design elements intended to resemble a legitimate system or service alert. This familiarity reduces suspicion and increases the likelihood that a target will interact with the content.

When a user interacts with the landing page (for example, clicking to “listen” to the voicemail), the site delivers a Windows Batch (BAT) file disguised as an audio update. The file is typically named something like voicemail.bat and is presented to users as a necessary component for playing the purported message.

The Attack Chain: Step by Step

Here’s how the attack unfolds from initial contact to full system compromise:

1. Voicemail Landing Page

Victims are first directed to a compromised domain with a German voicemail theme. These pages use believable wording and simple design to imply urgency while appearing like a normal notification. They prompt the user to download or open a file.

2. BAT File Download and Execution

Accepting the download gives the user a voicemail.bat script. When run, the script displays generic “update” messages and prompts the user to approve any system security dialogs, conditioning them to see these actions as legitimate.

3. Decoy Audio Playback

Simultaneously, the script fetches and plays an audio file from cloud hosting (specifically an Amazon S3 bucket). A browser window opens to play this file — often minimized or hidden — reinforcing the illusion of a real voicemail message.

The audio itself is typically in English and not meaningful; its purpose is purely to convince the user that something authentic is happening.

4. Installation of Remotely RMM

While the decoy audio plays, the script quietly installs Remotely RMM — a legitimate remote monitoring and management framework. However, in this context, it is used by the attacker to take control of the victim’s system.

Once installed, the agent communicates with an attacker-controlled backend at hxxps://remotely[.]billbutterworth[.]com/api/devices. This enrollment gives the attacker persistent remote access and the ability to issue further instructions.

What Happens After the System is Enrolled

With the RMM agent in place, the attacker gains a foothold for ongoing access. The campaign’s observed indicators show that infected systems remain connected to the attacker’s control server, allowing the operator to perform actions such as lateral movement, data extraction, or deployment of additional payloads — though specific follow-on actions in this campaign remain unverified.

At a technical level, the RMM installation leaves behind standard artifacts, such as service entries and configuration files under C:\Program Files\Remotely\, and logs that record the installation process.

Indicators of Compromise (IOCs)

• Voicemail landing domains: a set of domains that host the initial lure, often under subdomains of *.cadillac.ps.
• Decoy audio URL: a cloud-hosted WAV file used to reinforce the voicemail narrative.
• Malicious files and scripts: such as the voicemail.bat script and the Install-Remotely.ps1 installer script.
• RMM payloads: ZIP archives containing the Remotely agent executable binaries.
• Communication endpoints: notably the RMM API endpoint used for registration and control.

A Simple Lure, a Deep Compromise

This campaign highlights a growing trend in threat actor tactics: using believable social engineering lures combined with legitimate tools to achieve remote access without exploiting zero-day vulnerabilities. By relying on user trust and routine interactions, attackers increase their odds of success while lowering the chance of immediate detection.

Defenders and users alike should be wary of unexpected prompts to download executables — even if they appear tied to familiar services like voicemail — and maintain strict controls around application installation and script execution.