RMM Tools Fuel Stealthy Phishing Campaign TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskThreat IntelligenceNewsRMM Tools Fuel Stealthy Phishing CampaignAttackers are abusing two remote monitoring and management (RMM) tools to evade detection in a campaign that has impacted over 80 organizations so far.Jai Vijayan,Contributing WriterMay 4, 20264 Min ReadSource: Digitala World via ShutterstockA stealthy phishing campaign targeting organizations across multiple industries highlights a growing trend by attackers to weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems.Security researchers at Securonix say the campaign, which they are tracking as VENOMOUS#HELPER, has been active since at least April 2025 and has hit more than 80 organizations, primarily in the US but also in Western Europe and Latin America. Not One, But Two RMM ToolsWhat makes the campaign noteworthy, according to Securonix, is its deliberate avoidance of traditional malware in favor of two, legitimately signed, commercially available remote monitoring and management (RMM) tools — SimpleHelp and ScreenConnect — for enabling persistent control over victim machines.The choice of two RMM tools ensures that even if a victim organization spots one of them and removes it, the threat actor still maintains access via the second. "No attribution has been formally assigned; Securonix assesses this activity is consistent with a financially motivated Initial Access Broker (IAB) or ransomware precursor operation targeting the Western economic bloc," the security vendor said.Related:ShinyHunters Claims Second Attack Against InstructureRMM tools allow attackers a low-friction way to gain access to and maintain persistence on a victim environment. Because of how widely IT teams use them for legitimate purposes like routine administration and maintenance, the tools rarely trigger security alerts and give bad actors a way to blend malicious activity in with normal operations. That dynamic has fueled a massive surge in the use of RMM tools in new attacks. Researchers at Huntress reported a 277% year-over-year increase in RMM tool misuse in 2025, with the tools appearing in nearly a quarter of all incidents. Over the same period, use of traditional hacking tools dropped by 53%, highlighting a shift toward trusted software as an attack vector. “Remote monitoring and management (RMM) tools are cybercriminals' new favorite weapon,” the company said.The Venomous#Helper Attack ChainVENOMOUS#HELPER attacks begin with a convincingly crafted phishing email that masquerades as a message from the US Social Security Administration (SSA). Recipients are informed about a new statement available for download and are prompted to click a link. Users who follow through are directed to a phishing page hosted on a legitimate but previously compromised website. The page looks like an official SSA page and prompts the user to confirm their email address and to download what appears to be a genuine SSA statement. In reality the file is a malicious executable that initiates a sequence of actions leading to the installation of the SimpleHelp and ScreenConnect RMM tools on their system.Related:Instructure Breach Exposes Schools' Vendor DependenceNotably, according to Securonix, the operator of the VENOMOUS#HELPER campaign is using each of the tools for different purposes. SimpleHelp is the primary RMM channel, which the threat actor is using to run scripts and commands, execute automated tasks, conduct surveillance and perform continuous monitoring of infected systems. They are using ScreenConnect, meanwhile, for interactive desktop control.Securonix's analysis showed the tools operating quietly but continuously on compromised systems, taking literally hundreds of background actions in a short time frame, including checks on network connectivity, user activity, and installed security tools. The security vendor found the attacker tracking cursor movement to determine when a user might be away from their systems so they could execute hands-on attacks.Aaron Beardslee, manager of threat research at Securonix, says available evidence suggests the attacks are likely targeted and designed to attract the attention of users that are actually interested in Social Security topics, especially statements in this case. Related:Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA"From the small sample set we believe this campaign could be targeted at higher tier employee's personal emails with the hope those individuals would open their personal email on company devices," Beardslee says, adding that there's also some data to suggest the attacker has an interest in individuals with access their organization's cryptocurrency assets.Campaigns like this highlight why security teams need to instill a healthy dose of "cyber paranoia" within their organizations, Beardslee notes. In this particular instance, anyone who is remotely security-aware would be able to spot the SSA messages for the fakes they are. "But a sales rep, HR, or C-suite employee may not be so attuned to the attacker methodology," he says. "This is where a solid security program that instills 'cyber paranoia' is essential."Logging of endpoint activity, combined with a strong SIEM or EDR platform that captures detailed system activity, can also be useful in quickly surfacing unusual behavior, including unauthorized installation of RMM tools, Beardslee explains. "Application whitelisting can stop these attacks outright," he says. "Network monitoring adds another layer by helping detect and block suspicious activity. But none of this helps if users fall for the lure on personal devices."About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Securonix research team has identified a concerning stealthy phishing campaign, designated as VENOMOUS#HELPER, impacting over 80 organizations globally, primarily in the United States, Western Europe, and Latin America. This campaign leverages two legitimate and commercially available Remote Monitoring and Management (RMM) tools – SimpleHelp and ScreenConnect – to establish persistent access to compromised systems, circumventing traditional malware detection. Contributing Writer Jai Vijayan of Securonix details that attackers are utilizing one tool, SimpleHelp, for continuous monitoring, scripting, and command execution, while ScreenConnect is employed for interactive remote desktop control. This dual-tool approach strengthens the attacker’s foothold and ensures continued access even if one tool is detected and removed.

According to Securonix, the campaign's objective appears to be financially motivated, potentially targeting Initial Access Brokers (IABs) or ransomware precursors within the Western economic bloc. The attack chain begins with a convincing phishing email impersonating the US Social Security Administration (SSA), prompting recipients to download a malicious executable. This executable then initiates the installation of SimpleHelp and ScreenConnect, allowing the attacker to maintain stealthy control. Huntress reported a significant 277% year-over-year increase in RMM tool misuse in 2025, dropping traditional hacking tool usage by 53%, showcasing a shift towards utilizing trusted software as an attack vector.

Researcher Aaron Beardslee notes a targeted approach, suggesting the campaign focuses on individuals with an interest in Social Security topics, possibly targeting higher-tier employee’s personal email accounts. He highlights potential motivations, including access to cryptocurrency assets. Securonix advises, given this trend, organizations should adopt a "cyber paranoia" strategy within their security programs, emphasizing robust logging, SIEM or EDR platforms, application whitelisting, and network monitoring to proactively detect and block suspicious RMM tool activity. Beardslee emphasizes the importance of recognizing that sales representatives, HR personnel, and C-suite executives may not possess the same level of security awareness as dedicated security teams. This underscores the need for widespread security training across an organization, acknowledging this vulnerability.