RMM Tools Fuel Stealthy Phishing Campaign

CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE NEWS RMM Tools Fuel Stealthy Phishing Campaign Attackers are abusing two remote monitoring and management (RMM) tools to evade detection in a campaign that has impacted over 80 organizations so far. Jai Vijayan,Contributing Writer May 4, 2026 4 Min Read SOURCE: DIGITALA WORLD VIA SHUTTERSTOCK A stealthy phishing campaign targeting organizations across multiple industries highlights a growing trend by attackers to weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems. Security researchers at Securonix say the campaign, which they are tracking as VENOMOUS#HELPER, has been active since at least April 2025 and has hit more than 80 organizations, primarily in the US but also in Western Europe and Latin America.  Not One, But Two RMM Tools What makes the campaign noteworthy, according to Securonix, is its deliberate avoidance of traditional malware in favor of two, legitimately signed, commercially available remote monitoring and management (RMM) tools — SimpleHelp and ScreenConnect — for enabling persistent control over victim machines. The choice of two RMM tools ensures that even if a victim organization spots one of them and removes it, the threat actor still maintains access via the second. "No attribution has been formally assigned; Securonix assesses this activity is consistent with a financially motivated Initial Access Broker (IAB) or ransomware precursor operation targeting the Western economic bloc," the security vendor said. Related:How the Story of a USB Penetration Test Went Viral RMM tools allow attackers a low-friction way to gain access to and maintain persistence on a victim environment. Because of how widely IT teams use them for legitimate purposes like routine administration and maintenance, the tools rarely trigger security alerts and give bad actors a way to blend malicious activity in with normal operations. That dynamic has fueled a massive surge in the use of RMM tools in new attacks.  Researchers at Huntress reported a 277% year-over-year increase in RMM tool misuse in 2025, with the tools appearing in nearly a quarter of all incidents. Over the same period, use of traditional hacking tools dropped by 53%, highlighting a shift toward trusted software as an attack vector. “Remote monitoring and management (RMM) tools are cybercriminals' new favorite weapon,” the company said. The Venomous#Helper Attack Chain VENOMOUS#HELPER attacks begin with a convincingly crafted phishing email that masquerades as a message from the US Social Security Administration (SSA). Recipients are informed about a new statement available for download and are prompted to click a link. Users who follow through are directed to a phishing page hosted on a legitimate but previously compromised website.  The page looks like an official SSA page and prompts the user to confirm their email address and to download what appears to be a genuine SSA statement. In reality the file is a malicious executable that initiates a sequence of actions leading to the installation of the SimpleHelp and ScreenConnect RMM tools on their system. Related:BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures Notably, according to Securonix, the operator of the VENOMOUS#HELPER campaign is using each of the tools for different purposes. SimpleHelp is the primary RMM channel, which the threat actor is using to run scripts and commands, execute automated tasks, conduct surveillance and perform continuous monitoring of infected systems. They are using ScreenConnect, meanwhile, for interactive desktop control. Securonix's analysis showed the tools operating quietly but continuously on compromised systems, taking literally hundreds of background actions in a short time frame, including checks on network connectivity, user activity, and installed security tools. The security vendor found the attacker tracking cursor movement to determine when a user might be away from their systems so they could execute hands-on attacks. Aaron Beardslee, manager of threat research at Securonix, says available evidence suggests the attacks are likely targeted and designed to attract the attention of users that are actually interested in Social Security topics, especially statements in this case.  Related:Glasswing Secured the Code. The Rest of Your Stack Is Still on You "From the small sample set we believe this campaign could be targeted at higher tier employee's personal emails with the hope those individuals would open their personal email on company devices," Beardslee says, adding that there's also some data to suggest the attacker has an interest in individuals with access their organization's cryptocurrency assets. Campaigns like this highlight why security teams need to instill a healthy dose of "cyber paranoia" within their organizations, Beardslee notes. In this particular instance, anyone who is remotely security-aware would be able to spot the SSA messages for the fakes they are. "But a sales rep, HR, or C-suite employee may not be so attuned to the attacker methodology," he says. "This is where a solid security program that instills 'cyber paranoia' is essential." Logging of endpoint activity, combined with a strong SIEM or EDR platform that captures detailed system activity, can also be useful in quickly surfacing unusual behavior, including unauthorized installation of RMM tools, Beardslee explains.  "Application whitelisting can stop these attacks outright," he says. "Network monitoring adds another layer by helping detect and block suspicious activity. But none of this helps if users fall for the lure on personal devices." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025 Editor's Choice CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ CYBER RISK Claude Mythos Fears Startle Japan's Financial Services Sector byNate Nelson APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS