VENOMOUS#HELPER Phishing Campaign Hits 80+ U.S. Orgs via RMM Tools

A Phishing Campaign That Hides in Plain Sight

A sophisticated phishing campaign known as VENOMOUS#HELPER has compromised more than 80 organizations across the United States, and what makes it particularly alarming is not the tools the attackers built, but the ones they borrowed. The campaign exploits legitimate Remote Monitoring and Management (RMM) software, specifically SimpleHelp and ScreenConnect, to establish persistent remote access inside victim networks.

RMM tools are widely used by IT departments and managed service providers to remotely diagnose, update, and manage endpoints. Because they are trusted by corporate security filters, they represent an attractive vehicle for attackers who want to blend in with normal network traffic. VENOMOUS#HELPER takes full advantage of this trust.

The attack chain begins with phishing emails that direct victims to compromised business websites. Using real, previously legitimate domains helps the campaign evade email security filters and web reputation checks that would flag unknown or newly registered sites. Once a victim interacts with the malicious content, RMM software is silently installed, giving attackers a persistent foothold that can survive reboots, endpoint scans, and even some security tool deployments.

How RMM Software Becomes a Liability

The core problem exposed by VENOMOUS#HELPER is not that SimpleHelp or ScreenConnect are inherently insecure. These are reputable products used by thousands of legitimate IT teams every day. The problem is that attackers have figured out how to weaponize the very features that make these tools useful: lightweight installation, persistent connectivity, and the ability to pivot across a network.

Once installed, RMM agents typically communicate outbound over standard web ports, which many firewalls allow by default. This means an attacker controlling a rogue RMM session can move laterally to adjacent systems, exfiltrate data, or deploy additional malware, all while appearing to be routine IT activity on network monitoring dashboards.

The use of compromised third-party websites as the delivery mechanism adds another layer of difficulty for defenders. Traditional indicators of compromise, like flagging unknown domains or unsigned executables, are less effective when the payload arrives from a site that security tools have already classified as benign.

What This Means For You

For individuals, especially those working remotely or in hybrid environments, this campaign is a reminder that the software your employer uses to manage your work device carries real risk if not properly governed. RMM tools typically run with elevated privileges. If an attacker gains control of that channel, they have broad access to your machine and potentially the files and credentials on it.

This is not a reason to panic, but it is a reason to ask questions. Employees have a legitimate interest in knowing what remote access software is installed on their devices, who has the ability to initiate a session, and whether those sessions are logged and auditable. Responsible employers should be able to answer all three questions clearly.

For organizations, VENOMOUS#HELPER illustrates why zero-trust principles matter in practice. A zero-trust architecture does not assume that traffic originating from a trusted tool or a known IP address is automatically safe. Every session, every access request, and every lateral connection is verified. Combined with multi-factor authentication and network segmentation, this approach significantly limits what an attacker can do even after they have gained an initial foothold.

VPN usage within a corporate network also plays a role here. Encrypted tunnels between remote workers and internal resources reduce the exposure of sensitive traffic to interception, and they create a consistent authentication checkpoint that RMM-based attackers would need to overcome.

Actionable Takeaways

Whether you are an individual employee or responsible for organizational security, there are concrete steps worth taking in response to what VENOMOUS#HELPER reveals.

For individuals:

• Ask your IT department what RMM software is installed on your work devices and request a written policy on how remote sessions are initiated and logged.
• Be cautious with emails that direct you to external websites, even ones that appear familiar or professional.
• Report anything that installs software or requests elevated permissions without a clear prior request from you.

For organizations:

• Audit all deployed RMM tools and ensure only authorized versions with known configurations are present on endpoints.
• Restrict RMM software from communicating with any server outside your approved vendor infrastructure.
• Implement application allowlisting to prevent unauthorized RMM agents from executing.
• Treat phishing simulations as a continuous program, not a one-time exercise, particularly for employees who work with external vendors.

VENOMOUS#HELPER is a useful case study in how attackers adapt to the modern IT environment. Rather than fighting security tools directly, they find ways to use trusted software as cover. The best defense is a layered one: skeptical users, strict network policies, and security architectures that assume compromise is always possible.