TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Threat Intelligence Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability by Rob Wright May 4, 2026 5 Min Read Сloud Security If AI's So Smart, Why Does It Keep Deleting Production Databases? If AI's So Smart, Why Does It Keep Deleting Production Databases? by Alexander Culafi May 1, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyberattacks & Data Breaches Cyber Risk Threat Intelligence News RMM Tools Fuel Stealthy Phishing Campaign Attackers are abusing two remote monitoring and management (RMM) tools to evade detection in a campaign that has impacted over 80 organizations so far. Jai Vijayan , Contributing Writer May 4, 2026 4 Min Read Source: Digitala World via Shutterstock A stealthy phishing campaign targeting organizations across multiple industries highlights a growing trend by attackers to weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems. Security researchers at Securonix say the campaign, which they are tracking as VENOMOUS#HELPER, has been active since at least April 2025 and has hit more than 80 organizations, primarily in the US but also in Western Europe and Latin America. Not One, But Two RMM Tools What makes the campaign noteworthy, according to Securonix, is its deliberate avoidance of traditional malware in favor of two, legitimately signed, commercially available remote monitoring and management (RMM) tools — SimpleHelp and ScreenConnect — for enabling persistent control over victim machines. The choice of two RMM tools ensures that even if a victim organization spots one of them and removes it, the threat actor still maintains access via the second. "No attribution has been formally assigned; Securonix assesses this activity is consistent with a financially motivated Initial Access Broker (IAB) or ransomware precursor operation targeting the Western economic bloc," the security vendor said. Related: BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures RMM tools allow attackers a low-friction way to gain access to and maintain persistence on a victim environment. Because of how widely IT teams use them for legitimate purposes like routine administration and maintenance, the tools rarely trigger security alerts and give bad actors a way to blend malicious activity in with normal operations. That dynamic has fueled a massive surge in the use of RMM tools in new attacks. Researchers at Huntress reported a 277% year-over-year increase in RMM tool misuse in 2025, with the tools appearing in nearly a quarter of all incidents. Over the same period, use of traditional hacking tools dropped by 53%, highlighting a shift toward trusted software as an attack vector. “Remote monitoring and management (RMM) tools are cybercriminals' new favorite weapon,” the company said. The Venomous#Helper Attack Chain VENOMOUS#HELPER attack s begin with a convincingly crafted phishing email that masquerades as a message from the US Social Security Administration (SSA). Recipients are informed about a new statement available for download and are prompted to click a link. Users who follow through are directed to a phishing page hosted on a legitimate but previously compromised website. The page looks like an official SSA page and prompts the user to confirm their email address and to download what appears to be a genuine SSA statement. In reality the file is a malicious executable that initiates a sequence of actions leading to the installation of the SimpleHelp and ScreenConnect RMM tools on their system. Related: Glasswing Secured the Code. The Rest of Your Stack Is Still on You Notably, according to Securonix, the operator of the VENOMOUS#HELPER campaign is using each of the tools for different purposes. SimpleHelp is the primary RMM channel, which the threat actor is using to run scripts and commands, execute automated tasks, conduct surveillance and perform continuous monitoring of infected systems. They are using ScreenConnect, meanwhile, for interactive desktop control. Securonix's analysis showed the tools operating quietly but continuously on compromised systems, taking literally hundreds of background actions in a short time frame, including checks on network connectivity, user activity, and installed security tools. The security vendor found the attacker tracking cursor movement to determine when a user might be away from their systems so they could execute hands-on attacks. Aaron Beardslee, manager of threat research at Securonix, says available evidence suggests the attacks are likely targeted and designed to attract the attention of users that are actually interested in Social Security topics, especially statements in this case . Related: Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia "From the small sample set we believe this campaign could be targeted at higher tier employee's personal emails with the hope those individuals would open their personal email on company devices," Beardslee says, adding that there's also some data to suggest the attacker has an interest in individuals with access their organization's cryptocurrency assets. Campaigns like this highlight why security teams need to instill a healthy dose of "cyber paranoia" within their organizations, Beardslee notes. In this particular instance, anyone who is remotely security-aware would be able to spot the SSA messages for the fakes they are. "But a sales rep, HR, or C-suite employee may not be so attuned to the attacker methodology," he says. "This is where a solid security program that instills 'cyber paranoia' is essential." Logging of endpoint activity, combined with a strong SIEM or EDR platform that captures detailed system activity, can also be useful in quickly surfacing unusual behavior, including unauthorized installation of RMM tools, Beardslee explains. "Application whitelisting can stop these attacks outright," he says. "Network monitoring adds another layer by helping detect and block suspicious activity. But none of this helps if users fall for the lure on personal devices." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. See more from Jai Vijayan Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? More Webinars Editor's Choice Cyber Risk NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later by Dark Reading Editorial Team Apr 28, 2026 Identity & Access Management Security Oracle Red Bull Racing Team Revs Up Automation to Boost Security Oracle Red Bull Racing Team Revs Up Automation to Boost Security by Arielle Waldman Apr 30, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars How Well Can You See What's in Your Cloud? Thurs, June 4, 2026 at 1:00pm EST Implementing CTEM: Beyond Vulnerability Management Thurs, May 21, 2026 at 1pm EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Mon, May 11, 2026 at 1:00pm ET Zero Trust Architecture for Cloud environments: Implementation Roadmap Tues, May 12, 2026 at 1pm EST Tips for Managing Cloud Security in a Hybrid Environment? Thurs, May 7, 2026 at 1pm EST More Web