Executive Summary
Since April 2025, the VENOMOUS#HELPER phishing campaign has targeted over 80 organizations, primarily in the United States, by exploiting legitimate Remote Monitoring and Management (RMM) tools—SimpleHelp and ScreenConnect—to establish persistent remote access. Attackers initiate the campaign with phishing emails impersonating the U.S. Social Security Administration, leading victims to download malicious executables that install these RMM tools, thereby bypassing traditional security defenses. (darkreading.com)
This incident underscores a growing trend of cybercriminals leveraging trusted software to evade detection, highlighting the need for organizations to scrutinize the use of legitimate tools within their networks and enhance employee awareness to recognize sophisticated phishing attempts. (darkreading.com)
Why This Matters Now
The VENOMOUS#HELPER campaign exemplifies the increasing misuse of legitimate RMM tools by cybercriminals to maintain undetected access within organizations. This trend necessitates immediate attention to the security of commonly used IT management software and reinforces the importance of comprehensive phishing awareness training for employees. (darkreading.com)
Attack Path Analysis
The VENOMOUS#HELPER campaign began with phishing emails impersonating the U.S. Social Security Administration, leading recipients to download malicious executables that installed legitimate RMM tools, SimpleHelp and ScreenConnect, for persistent access. Attackers leveraged these tools to execute commands and scripts, potentially escalating privileges. The RMM tools facilitated lateral movement within the network by allowing attackers to access and control multiple systems. They also enabled command and control by maintaining continuous monitoring and executing tasks on compromised systems. While specific data exfiltration methods were not detailed, the persistent access provided by the RMM tools could have been used for data theft. The campaign's impact included unauthorized access to sensitive systems and potential data breaches.
Kill Chain Progression
Initial Compromise
Description
Phishing emails impersonating the U.S. Social Security Administration led recipients to download malicious executables that installed legitimate RMM tools.
MITRE ATT&CK® Techniques
Phishing: Spearphishing Link
User Execution: Malicious Link
Application Layer Protocol: Web Protocols
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Scheduled Task/Job: Scheduled Task
Indicator Removal: File Deletion
System Information Discovery
System Owner/User Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Prevent unauthorized software installations
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User and Device Authentication
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High-value targets for Initial Access Brokers using RMM tools to bypass security controls, enabling lateral movement and data exfiltration from sensitive financial systems.
Health Care / Life Sciences
Critical vulnerability to phishing campaigns targeting personal devices of healthcare executives, potentially compromising HIPAA-protected patient data through legitimate RMM tool abuse.
Information Technology/IT
Significant exposure as RMM tools are commonly whitelisted in IT environments, making detection difficult while attackers gain persistent access for ransomware deployment.
Government Administration
Targeted by SSA-themed phishing exploiting public trust, with RMM tool persistence threatening sensitive government data and compliance with federal security requirements.
Sources
- RMM Tools Fuel Stealthy Phishing Campaignhttps://www.darkreading.com/cyberattacks-data-breaches/rmm-tools-stealthy-phishing-campaignVerified
- Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Toolshttps://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.htmlVerified
- Fake SSA Emails Drive Venomous#Helper Phishing Campaignhttps://www.infosecurity-magazine.com/news/ssa-emails-venomous-helper-phishing/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the VENOMOUS#HELPER campaign as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial compromise may have been limited in scope, reducing the attacker's ability to exploit the network further.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained, limiting their control over compromised systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely have been restricted, limiting their access to additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels may have been disrupted, reducing their ability to manage compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data would likely have been constrained, reducing the risk of data breaches.
The overall impact of the attack could have been limited, reducing unauthorized access and data breaches.
Impact at a Glance
Affected Business Functions
- IT Administration
- Network Security
- User Access Management
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive organizational data due to unauthorized remote access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict RMM tool access and limit lateral movement.
- • Enhance Threat Detection & Anomaly Response to identify unauthorized RMM tool installations and usage.
- • Apply Egress Security & Policy Enforcement to monitor and control outbound traffic from RMM tools.
- • Utilize Multicloud Visibility & Control to detect anomalous interactions and repeated malformed requests.
- • Enforce East-West Traffic Security to prevent unauthorized internal communications facilitated by RMM tools.
