Malicious Use of Kickidler – and Our Immediate Response

Today’s article focuses on the recent case of Kickidler’s usage by ransomware affiliates for tracking victim user activity and harvesting credentials and the way its developers responded.

What Happened?

In May 2025, our fully legitimate employee monitoring software was abused by Qilin and Hunters International ransomware groups who launched targeted attacks using fake Google Ads and the SMOKEDHAM PowerShell .NET backdoor to deploy Kickidler on administrators’ computers.

Cyber attackers were installing licensed versions of our software that don’t get blocked by antivirus, thus acting in a way that seemed legitimate from the first glance.

According to the source, having resumed malicious activity on the breached networks, the ransomware operators deployed payloads that targeted the VMware ESXi infrastructure, encrypting VMDK virtual hard disk drives and wreaking havoc.

Using keystroke logging and screen recording features of the software, attackers stole access credentials to VMware ESXi and cloud-backup systems, which led to the encryption of virtual machines, enabling malicious invaders to track victim user activity and harvest credentials for devastating outcomes.

Overall, attacks like these demonstrate advanced high-level planning behind modern ransomware campaigns.

What Steps Were Taken by Kickidler to Respond?

Kickidler’s response was immediate:

• It’s been decided to remove the free version of the software. This way, it’ll be easier to prevent covert installation of the monitoring solution and its malicious use in a stealthy mode. Of course, all Kickidler’s users will be notified of the upcoming changes in advance, and nice discounts will be provided to those clients who had been using this version of the monitoring solution.
• From now on, a strict verification of companies that express desire to purchase Kickidler software will be conducted, and only verified approved legal entities will be granted access to Kickidler’s EM version.

What Do We Recommend?

Finally, it’s important for us to highlight our long history of being a legitimate monitoring software, the main objective of which is to help businesses grow. Sure, no employee monitoring tool is fully protected from malintent and potential misuse. And while we’re taking strong measures to minimize such risks in the future, here are a few tips for you to strengthen your data security and safeguard both your employees and your business as a whole:

• Employers should provide adequate employee training on the topics of social engineering, phishing, and other data security threats.
• Employers should consider creating a strong data protection strategy to ensure sensitive company data is protected.
• System administrators are required to make regular backups and keep those backups either on a separate network or offline.
• System administrators need to conduct an audit of all applications, databases, servers, and network devices in order to ensure they’re adequately configured.
• System administrators should enforce inbound and outbound blocker rules for remote monitoring and management protocols as well as monitor user activity for unusual use of legitimate admin tools.
• Users should not download any suspicious apps and attachments received over the internet, visit unfamiliar websites or click on links provided by unknown or untrusted sources.
• Users should think about using a unique and strong password for every website they require for work as well as multifactor authentication (MFA) whenever possible in order to protect their sensitive data.

Final Words

With data security threats evolving at no time, it’s critical for organizations to stay vigilant. As today’s case teaches us, even legitimate digital solutions can become attack tools in the wrong hands if the company doesn’t have proper security measures in place.

Once again, it’s important for us to emphasize that Kickidler is licensed employee monitoring software, and we as the developers diligently work on ensuring the safety of our clients’ data.

What’s more, we recommend that you update the software and familiarize yourself with the new sign-up process. This will help you strengthen your company data security and safeguard against any potential attacks of the similar nature in the future.

We take our professional obligations and our credibility incredibly seriously. With your best interests at the core of our organization, we encourage you to report any suspicious product deployments so that we can continue to ensure our software is up to par.