VENOMOUS#HELPER Campaign Weaponizes RMM Tools for Stealthy Persistence
A stealthy phishing campaign dubbed VENOMOUS#HELPER is compromising organizations by weaponizing legitimate, signed RMM tools to maintain persistent, undetected access to victim systems.
A sophisticated phishing campaign, tracked by researchers at Securonix as VENOMOUS#HELPER, is currently leveraging legitimate Remote Monitoring and Management (RMM) software to compromise organizations across the United States, Western Europe, and Latin America. Active since at least April 2025, the campaign has successfully targeted more than 80 organizations by weaponizing trusted administrative tools to bypass traditional security defenses Dark Reading.
The attack chain initiates with deceptive phishing emails masquerading as official communications from the US Social Security Administration (SSA). These emails prompt victims to download a purported statement, which instead delivers a malicious executable. Once executed, this file installs two commercially available, legitimately signed RMM tools: SimpleHelp and ScreenConnect. By utilizing these trusted applications, attackers can blend their malicious activity with legitimate administrative traffic, significantly reducing the likelihood of triggering security alerts Dark Reading.
The threat actors employ a dual-tool strategy to ensure persistent access. SimpleHelp serves as the primary channel for executing scripts, conducting surveillance, and performing automated tasks, while ScreenConnect is reserved for interactive desktop control. If an organization identifies and removes one tool, the attacker maintains access through the second. Securonix observed these tools performing hundreds of background actions, including monitoring network connectivity, tracking user activity, and even observing cursor movement to identify periods of inactivity for hands-on exploitation Dark Reading.
While no formal attribution has been assigned, Securonix assesses that the campaign is consistent with the tactics of a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation. The shift toward "living-off-the-land" techniques using RMM software is part of a broader industry trend. Huntress researchers reported a 277% year-over-year increase in RMM tool misuse throughout 2025, noting that these tools now appear in nearly 25% of all security incidents, while the use of traditional hacking tools has declined by 53% Dark Reading.
This campaign underscores the growing challenge of defending against the weaponization of legitimate software. Because RMM tools are essential for routine IT maintenance, they are frequently allow-listed by security policies, providing attackers with a low-friction path to persistence. As threat actors continue to favor these trusted utilities over custom malware, organizations face an increasing need to implement stricter monitoring and access controls for administrative software to prevent these stealthy, long-term compromises Dark Reading.