A stealthy phishing campaign targeting organizations across multiple industries highlights a growing trend by attackers to weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems.
Security researchers at Securonix say the campaign, which they are tracking as VENOMOUS#HELPER, has been active since at least April 2025 and has hit more than 80 organizations, primarily in the US but also in Western Europe and Latin America.
Not One, But Two RMM Tools
What makes the campaign noteworthy, according to Securonix, is its deliberate avoidance of traditional malware in favor of two, legitimately signed, commercially available remote monitoring and management (RMM) tools — SimpleHelp and ScreenConnect — for enabling persistent control over victim machines.
The choice of two RMM tools ensures that even if a victim organization spots one of them and removes it, the threat actor still maintains access via the second. “No attribution has been formally assigned; Securonix assesses this activity is consistent with a financially motivated Initial Access Broker (IAB) or ransomware precursor operation targeting the Western economic bloc,” the security vendor said.
RMM tools allow attackers a low-friction way to gain access to and maintain persistence on a victim environment. Because of how widely IT teams use them for legitimate purposes like routine administration and maintenance, the tools rarely trigger security alerts and give bad actors a way to blend malicious activity in with normal operations. That dynamic has fueled a massive surge in the use of RMM tools in new attacks.
Researchers at Huntress reported a 277% year-over-year increase in RMM tool misuse in 2025, with the tools appearing in nearly a quarter of all incidents. Over the same period, use of traditional hacking tools dropped by 53%, highlighting a shift toward trusted software as an attack vector. “Remote monitoring and management (RMM) tools are cybercriminals’ new favorite weapon,” the company said.
The Venomous#Helper Attack Chain
VENOMOUS#HELPER attacks begin with a convincingly crafted phishing email that masquerades as a message from the US Social Security Administration (SSA). Recipients are informed about a new statement available for download and are prompted to click a link. Users who follow through are directed to a phishing page hosted on a legitimate but previously compromised website.
The page looks like an official SSA page and prompts the user to confirm their email address and to download what appears to be a genuine SSA statement. In reality the file is a malicious executable that initiates a sequence of actions leading to the installation of the SimpleHelp and ScreenConnect RMM tools on their system.
Notably, according to Securonix, the operator of the VENOMOUS#HELPER campaign is using each of the tools for different purposes. SimpleHelp is the primary RMM channel, which the threat actor is using to run scripts and commands, execute automated tasks, conduct surveillance and perform continuous monitoring of infected systems. They are using ScreenConnect, meanwhile, for interactive desktop control.
Securonix’s analysis showed the tools operating quietly but continuously on compromised systems, taking literally hundreds of background actions in a short time frame, including checks on network connectivity, user activity, and installed security tools. The security vendor found the attacker tracking cursor movement to determine when a user might be away from their systems so they could execute hands-on attacks.
Aaron Beardslee, manager of threat research at Securonix, says available evidence suggests the attacks are likely targeted and designed to attract the attention of users that are actually interested in Social Security topics, especially statements in this case.
“From the small sample set we believe this campaign could be targeted at higher tier employee’s personal emails with the hope those individuals would open their personal email on company devices,” Beardslee says, adding that there’s also some data to suggest the attacker has an interest in individuals with access their organization’s cryptocurrency assets.
Campaigns like this highlight why security teams need to instill a healthy dose of “cyber paranoia” within their organizations, Beardslee notes. In this particular instance, anyone who is remotely security-aware would be able to spot the SSA messages for the fakes they are. “But a sales rep, HR, or C-suite employee may not be so attuned to the attacker methodology,” he says. “This is where a solid security program that instills ‘cyber paranoia’ is essential.”
Logging of endpoint activity, combined with a strong SIEM or EDR platform that captures detailed system activity, can also be useful in quickly surfacing unusual behavior, including unauthorized installation of RMM tools, Beardslee explains.
“Application whitelisting can stop these attacks outright,” he says. “Network monitoring adds another layer by helping detect and block suspicious activity. But none of this helps if users fall for the lure on personal devices.”
