Phishing Campaign Uses Legitimate RMM Tools for Access

Since at least April 2025, a sophisticated phishing campaign has been targeting organizations, primarily in the U.S., by weaponizing legitimate remote access software to hijack computer systems. Dubbed VENOMOUS#HELPER, this operation has impacted over 80 entities, as detailed in a report shared by Securonix researchers.

However, the attack cleverly begins with emails impersonating the U.S. Social Security Administration. Consequently, victims are tricked into clicking a link that leads to a compromised but legitimate Mexican business website.

This link ultimately delivers a malicious executable from a second attacker-controlled domain. The malware, packaged to look like a document, then installs the SimpleHelp RMM tool as a persistent Windows service.

Meanwhile, the deployed software establishes a robust foothold with a “self-healing watchdog” and frequent system checks. It also uses a legitimate component called “elev_win.exe” to gain powerful SYSTEM-level privileges on the infected machine.

This elevated access allows the attacker to read screens, inject keystrokes, and freely navigate the network. Furthermore, the operators often deploy a second RMM tool, ConnectWise ScreenConnect, as a redundant backup channel.

Researchers noted the campaign shares overlaps with clusters previously tracked by Red Canary and Sophos. The use of dual, signed RMM tools creates a significant challenge for standard antivirus defenses, which see only legitimate software.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• GameStop Offers $125 Per Share Takeover Bid for eBay
• Western Union Launches USDPT Stablecoin on Solana
• IBIT Draws April Inflows Despite Negative Returns
• Strategy’s $1B Bitcoin Gamble Yields Just 1% Annual Return
• ZIGChain Summit 2026 Charts Onchain Finance Execution