A sophisticated phishing campaign dubbed VENOMOUS#HELPER is targeting U.S. organizations by deploying legitimate RMM software to establish persistent, dual-channel remote access for potential ransomware or data theft operations.

Key Points

• The campaign has compromised over 80 organizations since April 2025 using phishing emails that impersonate the U.S. Social Security Administration.
• Attackers utilize customized SimpleHelp and ScreenConnect RMM tools to bypass security defenses by masquerading as legitimate, signed software.
• The malware achieves persistence by installing itself as a Windows service and employing a self-healing watchdog to restart if terminated.
• Threat actors leverage compromised Mexican business websites to host malicious files and evade traditional email spam filters.
• The dual-channel architecture ensures attackers maintain access even if one remote management tool is detected and blocked by security software.

Why it Matters

This campaign highlights a growing trend where attackers exploit trusted, legitimate administrative tools to evade signature-based detection systems. By establishing redundant access channels, these actors can maintain long-term control over compromised networks, significantly increasing the risk of subsequent ransomware deployment or data exfiltration.