VENOMOUS#HELPER Phishing Campaign Exploits SimpleHelp and ScreenConnect

Overview of VENOMOUS#HELPER

A sophisticated threat campaign, identified by security researchers as VENOMOUS#HELPER, has targeted more than 80 organizations since April 2025. This activity centers on the abuse of legitimate Remote Monitoring and Management (RMM) software to maintain stealthy, long-term access to victim networks. According to The Hacker News, the campaign primarily impacts entities within the United States, utilizing tools like SimpleHelp and ConnectWise ScreenConnect as secondary C2 channels.

Securonix researchers have observed that the campaign relies on Phishing as the initial access vector. By masquerading as legitimate communications, the attackers trick users into executing payloads that eventually lead to the deployment of these RMM tools. This TTP is particularly effective because security software often trusts digitally signed, legitimate administrative tools, allowing the attackers to bypass traditional EDR detections that focus on malicious binary signatures.

How to Detect VENOMOUS#HELPER Phishing Efforts

Detecting this campaign requires a shift from identifying malware to identifying the unauthorized use of legitimate software. Defenders should look for specific IoC markers, such as the execution of SimpleHelp-Remote-Access.exe or ConnectWise ScreenConnect binaries from unusual directories like %TEMP% or %APPDATA%. Analyzing network logs for outbound connections to SimpleHelp-related domains or ScreenConnect relay servers is also a high-fidelity method to detect VENOMOUS#HELPER phishing success within the environment.

Because the actors use legitimate tools, SOC teams must establish a baseline of authorized RMM usage. Any deviation from the standard administrative toolset used by the internal IT department should be treated as a high-priority incident. SimpleHelp RMM persistence detection often involves monitoring for new services or scheduled tasks that reference the SimpleHelp binary, especially those running with SYSTEM or Privilege Escalation levels.

Analysis of RMM-Based Persistence

The VENOMOUS#HELPER campaign highlights a broader trend in the threat landscape: the weaponization of administrative utilities. By using ConnectWise ScreenConnect remote access exploitation techniques, threat actors gain full desktop control, file transfer capabilities, and terminal access without needing to maintain custom backdoors. This reduces their footprint and aligns with the MITRE ATT&CK framework’s “Living off the Land” philosophy.

Once the RMM tool is installed, the attackers can perform various post-compromise activities. This includes reconnaissance, credential harvesting, and potentially deploying Ransomware. The use of RMM tools as a backup access method ensures that even if the primary malware is discovered and removed, the attackers can regain access through the legitimate remote session software.

Defensive Recommendations

To mitigate the risk of VENOMOUS#HELPER and similar campaigns, organizations should adopt a Zero Trust approach to software installation. Only verified administrative accounts should have the permissions required to install new services or software.

1. Application Whitelisting: Implement strict policies to block the execution of RMM tools that are not explicitly approved for company use.
2. Network Segmentation: Restrict outbound traffic from workstations to known RMM relay IP addresses and domains unless there is a documented business need.
3. Endpoint Monitoring: Configure security tools to alert on the creation of new services by non-admin users or the appearance of RMM-related artifacts in temporary folders.
4. User Training: Reinforce the importance of verifying the source of unsolicited emails, particularly those requesting the download of software for technical support purposes.