top of page
Scheider_300x600.jpeg
nvidio_728x90.png
TechNewsHub_Strip_v1.jpg

LATEST NEWS

Phishing campaign dubbed VENOMOUS#HELPER hits 80+ organizations via abused RMM tools

  • Marijan Hassan - Tech Journalist
  • 2 days ago
  • 2 min read

A stealthy and persistent phishing campaign, dubbed VENOMOUS#HELPER, has successfully compromised over 80 organizations by weaponizing legitimate Remote Monitoring and Management (RMM) software to bypass traditional security defenses.



According to a recent report from Securonix, the activity has been active since April 2025 but has intensified in early 2026, primarily targeting entities in the United States, Western Europe, and Latin America. The attackers are not using traditional malware. Instead, they rely on SimpleHelp as the primary connection before installing a second tool, ScreenConnect. ConnectWise ScreenConnect. The latter is a backup in case the first fails.


The attack chain: Impersonation and infiltration

The campaign begins with highly convincing phishing emails masquerading as the U.S. Social Security Administration (SSA). Recipients are prompted to verify their email addresses or download a purported "SSA statement."

  • The Lure: Users are directed to a compromised but legitimate Mexican business website to evade email reputation filters.

  • The Payload: The downloaded file is a JWrapper-packaged Windows executable that, when opened, silently installs the SimpleHelp RMM tool as a system service.

  • Privilege Escalation: Once active, the tool acquires SYSTEM-level privileges, allowing the attackers to read screens, inject keystrokes, and monitor user activity.


Evasion and persistence

The use of legitimate, signed software makes VENOMOUS#HELPER particularly dangerous. Standard antivirus and signature-based controls often ignore these tools because they are frequently used by IT departments for routine maintenance.


Key technical details:

  • Self-healing: The malware includes a "watchdog" process that automatically restarts the RMM service if it is terminated.

  • Safe mode persistence: It ensures it remains active even if the system is booted into Safe Mode.

  • Frequency: The system's security posture is scanned every 67 seconds, while operator presence detection polls every 23 seconds.


Protective measures for organizations

Security experts recommend that CISOs and IT teams take the following steps to mitigate the risk:


Strict RMM allowlists: Only allow authorized RMM tools to run on corporate networks and block all others by default.

  • Monitor for tampering: Track changes to system services and registry keys that indicate the installation of unauthorized management software.

  • Credential hygiene: Reset passwords for any account found to have interacted with unauthorized RMM installers.

  • Employee training: Teach them tips to anticipate and recognize phishing attempts. For instance, government agencies like the SSA do not send executable files via email.

wasabi.png
Gamma_300x600.jpg
paypal.png
bottom of page