BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Phishing Campaign Uses Legitimate RMM Tools for Access

VENOMOUS#HELPER phishing targets US orgs with RMM tools via Social Security impersonation

  • A phishing campaign codenamed VENOMOUS#HELPER has targeted over 80 organizations, primarily in the U.S., since at least April 2025.
  • Attackers use legitimate Remote Monitoring and Management (RMM) tools like SimpleHelp and ScreenConnect to establish persistent, stealthy access to compromised systems.
  • The campaign begins with emails impersonating the U.S. Social Security Administration, directing victims to download malware from compromised legitimate websites.
  • This operation aligns with a financially motivated Initial Access Broker (IAB) or a ransomware precursor, according to Securonix researchers.

Since at least April 2025, a sophisticated phishing campaign has been targeting organizations, primarily in the U.S., by weaponizing legitimate remote access software to hijack computer systems. Dubbed VENOMOUS#HELPER, this operation has impacted over 80 entities, as detailed in a report shared by Securonix researchers.

- Advertisement -

However, the attack cleverly begins with emails impersonating the U.S. Social Security Administration. Consequently, victims are tricked into clicking a link that leads to a compromised but legitimate Mexican business website.

This link ultimately delivers a malicious executable from a second attacker-controlled domain. The malware, packaged to look like a document, then installs the SimpleHelp RMM tool as a persistent Windows service.

Meanwhile, the deployed software establishes a robust foothold with a “self-healing watchdog” and frequent system checks. It also uses a legitimate component called “elev_win.exe” to gain powerful SYSTEM-level privileges on the infected machine.

This elevated access allows the attacker to read screens, inject keystrokes, and freely navigate the network. Furthermore, the operators often deploy a second RMM tool, ConnectWise ScreenConnect, as a redundant backup channel.

- Advertisement -

Researchers noted the campaign shares overlaps with clusters previously tracked by Red Canary and Sophos. The use of dual, signed RMM tools creates a significant challenge for standard antivirus defenses, which see only legitimate software.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Bitcoin Data Strong Amid Selling and Yield Fears

Despite a zero ByteTrend score, the Bitcoin network's weekly on-chain transaction value is $13.5...

Ohio County Paid $1M After Data Heist

Union County, Ohio, paid roughly $1 million in Bitcoin to the cyber group Kairos...

Bitcoin’s 2026 Outlook: Sideways Trading Before Any Big Rally

Bitcoin is currently trading between $58,000 and $62,000, a steep drop from its October...

North Korean PolinRider Hackers Publish 108 Malicious Packages

North Korean-linked threat actors, known as Contagious Interview, have expanded their PolinRider supply-chain campaign...

FatFs Flaws Let Malicious Media Hijack Millions of Devices

Seven vulnerabilities (CVE-2026-6682 to CVE-2026- 6688) were found in the widely used FatFs filesystem library,...

Must Read

How Much Money Do You Need To Start In Crypto?

TL;DR -If you are wondering How Much Money Do You Need To Start In Crypto, note that is less than you are probably thinking....
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading