Kickidler time tracking ransomware attack
Hackers are abusing the employee time tracking tool Kickidler to spy on companies and assist ransomware operations, as reported by BleepingComputer on May 8, 2025.
The attackers used fraudulent Google Ads to distribute a trojan horse, which silently installs a backdoor cybersecurity threat. Once inside, they deploy Kickidler to log keystrokes and record screens, turning productivity software into an opportunity for data theft.
How Did a Time Tracking Tool Became a Cyber Weapon?
Kickidler is normally used to monitor employee activity. It provides screen recording, employee usage logging, and keystroke tracking, designed to help organizations ensure accountability and productivity.
But when installed covertly by criminals, those same features became tools for corporate espionage and credential theft.
The initial breach starts when IT admins click on fraudulent advertisements while searching for RVTools, a free tool used to audit VMware environments. The download, hosted on a fake site, installs a PowerShell-based backdoor named SMOKEDHAM.
That backdoor allows attackers to silently install malicious software, observe employee activity, and harvest login credentials.
Once attackers gather enough information, they move laterally across the network to target virtual infrastructure, especially VMware ESXi servers.
These servers host multiple virtual machines, making them prime targets for ransomware. The attackers use tools like VMware, PowerCLI, and WinSCP to enable SSH, upload ransomware scripts, and encrypt VMDK (virtual disk) files, crippling operations, and stealing confidential data.
Who is Behind the Attacks?
Two ransomware gangs, Qilin and Hunters International, have been linked to these campaigns. Both are known for using advanced infiltration methods and have shifted toward abusing legitimate tools to reduce detection.
This method, often called “living off the land,” allows attackers to use trusted software against companies, bypassing standard antivirus alerts and raising fewer red flags.
Security experts warn that more ransomware operators will likely follow this tactic.
What Employers Should Do to Protect Themselves
This attack highlights the need for better visibility over legitimate tools installed across company devices. Kickidler wasn’t designed to be malicious, but once hijacked, it becomes nearly indistinguishable from spyware.
To prevent similar attacks, organizations should:
- Audit and restrict software installations: IT teams must regularly review software across all devices and limit installations to authorized users only.
- Block unauthorized RMM and monitoring tools: Application control settings should prevent non-approved tools like Kickidler from being installed without notice.
- Train staff to spot phishing and malvertising: Malvertising is a rising threat. Employees must be educated to verify download links and avoid third-party sources.
- Monitor behavior, not just malware signatures: Behavioral analysis tools can detect abnormal keystroke logging or screen captures, even from legitimate software.
- Segment virtual and backup systems: Limiting access between regular endpoints and critical infrastructure can stop lateral movement after a breach.
Lessons Learned
The Kickidler time tracking ransomware attack is a case study of how trusted workplace tools can be weaponized. As software ecosystems grow more complex, IT and security teams must treat every tool, no matter how helpful, with scrutiny.
Time and attendance software must be closely selected and routinely audited. When a tool designed to promote productivity is used to destroy it, it is a stark reminder that digital trust must be researched, earned, and protected.
Related Content:
Artificial Intelligence to shake up Employee Monitoring
Pros and Cons of Employee Monitoring
Ways to Get Around Screenshot Monitoring
Create an account and take the hassle out of time tracking - it's FREE forever for unlimited users!
