Breaking: Widespread Phishing Campaign Exploits Legitimate RMM Software

A sophisticated phishing campaign, dubbed VENOMOUS#HELPER, has compromised more than 80 organizations, primarily in the United States, since at least April 2025. Attackers are leveraging legitimate Remote Monitoring and Management (RMM) tools — SimpleHelp and ScreenConnect — to establish persistent remote access to victim networks.

Security firm Securonix first identified the coordinated activity and is tracking it as VENOMOUS#HELPER. The campaign marks a significant escalation in the abuse of trusted administrative software to bypass traditional security defenses.

"Threat actors are increasingly weaponizing tools that IT teams rely on daily," said James Whitfield, senior threat researcher at Securonix. "By using legitimate RMM software, they can fly under the radar of endpoint detection systems."

Background: How the Attack Works

The attack chain begins with a spear-phishing email designed to trick recipients into downloading a malicious attachment or link. Once executed, the payload silently installs either SimpleHelp or ScreenConnect, both widely used RMM platforms.

These tools then grant attackers persistent remote control over the infected machine, allowing them to move laterally within the network, steal credentials, and deploy ransomware or data exfiltration payloads.

"RMM software is inherently trusted by both security teams and operating systems," Whitfield explained. "This trust makes it a perfect camouflage for adversary operations."

The campaign primarily targets critical infrastructure sectors, including manufacturing, healthcare, and finance. Over 80% of victims are located in the United States, with the remainder spread across Europe and Asia-Pacific.

What This Means for Cybersecurity

VENOMOUS#HELPER underscores the growing trend of living-off-the-land tactics, where attackers abuse legitimate software to avoid detection. Traditional security tools that rely on signature-based detection often fail to flag the use of approved RMM applications.

Organizations must now monitor RMM tool usage as a potential indicator of compromise. Security teams should implement strict policies for RMM deployment and maintain logs of all remote sessions.

"This is a wake-up call for every SOC," said Maria Chen, cybersecurity analyst at CyberDefense Institute. "If you're not auditing your RMM tools, you're likely already compromised."

Securonix reports that the campaign remains active, with new phishing lures detected daily. The researchers advise all organizations to review their RMM security guidelines and enable multi-factor authentication on management consoles.

"The attackers are sophisticated but not invincible," Whitfield added. "Visibility into RMM usage, combined with user awareness, can break the killchain."