Rather than relying on traditional malware, threat actors are increasingly exploiting legitimate remote management tools to gain and maintain access to victim environments.
Tracked as VENOMOUS#HELPER, this campaign has been active since April 2025 and has already compromised more than 80 organizations, primarily in the United States. Researchers assess the operation to be financially motivated and potentially linked to initial access brokers—groups that specialize in breaching networks and selling that access to other cybercriminals, including ransomware operators.
At the core of the campaign is the abuse of widely trusted Remote Monitoring and Management (RMM) software, most notably SimpleHelp and ScreenConnect. These tools are commonly used by IT teams for legitimate remote support, making their presence in enterprise environments appear routine.
That legitimacy is what makes them so effective in the hands of attackers.
Because both applications are digitally signed and broadly recognized, they often bypass traditional antivirus and endpoint detection controls. Once installed, they grant full remote access to compromised systems, allowing attackers to execute commands, transfer files, and observe user activity—often without triggering immediate alerts.
The intrusion typically begins with a phishing email masquerading as correspondence from a trusted entity, such as a U.S. government agency. Recipients are persuaded to click a link that appears to lead to a benign document.
Instead, the download is an executable that installs SimpleHelp on the victim system.
After execution, the attackers escalate privileges—frequently achieving SYSTEM-level access. Persistence is then established by installing the tool as a service and deploying a “watchdog” mechanism that automatically reinstalls it if removed.
To reinforce their access, attackers commonly deploy ScreenConnect as a secondary remote channel. This redundancy ensures continued control even if one tool is identified and eradicated, significantly complicating remediation efforts.
The distinguishing feature of VENOMOUS#HELPER is not technical complexity, but operational subtlety. By leveraging legitimate software, attackers blend into normal IT activity, dramatically increasing the difficulty of detection.
This approach enables:
The campaign exemplifies the growing use of “living off the land” techniques, where trusted tools replace custom malware.
Abuse of RMM software has surged over the past year, reflecting a broader shift in attacker strategy. Rather than investing in sophisticated exploits, adversaries are prioritizing methods that are quieter, more reliable, and harder to distinguish from legitimate operations.
Defending against these attacks requires focusing on behavior rather than tools themselves. Since the software involved is not inherently malicious, detection must center on how it is used.
Key indicators include:
Risk can be reduced through strict governance of remote administration tools, application allowlisting, role-based access controls, and continuous monitoring for anomalous usage patterns.
The VENOMOUS#HELPER campaign highlights a fundamental shift in the threat landscape. Attackers are no longer limited to deploying malware—they are weaponizing trust.
For defenders, the challenge is clear: identifying malicious intent concealed within legitimate activity is now one of the most critical frontiers in cybersecurity.
At Nehar Consult, we empower your employees with hands-on, real-world security awareness training that significantly reduces the risk and impact of identity theft—turning your people into a resilient, frontline human firewall, in a way that does not take them away from work. Beyond training, we work closely with your organization to navigate and complete the required cybersecurity frameworks, ensuring full CSAT fulfillment with clarity, confidence, and regulatory readiness.
Security Awareness Trainng Assessment Tool : Check your eligibility here
Schedule your next appointment here: Book your Appointment
Check how strong your password is with Free Nehar Password Check: Click here
Check what PCI DSS SAQ form is appropriate for your organization with our Free Calculator: Check here
