Quick Takeaways
- A stealthy phishing campaign, VENOMOUS#HELPER, leverages legitimate RMM tools like SimpleHelp and ScreenConnect to maintain persistent, undetectable access across over 80 organizations since April 2025.
- Attackers exploit trusted, signed remote management software to blend malicious activity with normal operations, causing a surge in RMM tool misuse and a decline in traditional hacking methods.
- The attack chain involves convincing phishing emails mimicking the Social Security Administration, leading targets to download malware that installs dual RMM tools for covert control.
- Experts emphasize the importance of vigilant security practices, like activity logging, SIEM/EDR monitoring, application whitelisting, and raising cybersecurity awareness among all employees.
Attackers Use Trusted IT Tools to Hide Malicious Activities
Recently, a new type of cyber attack has emerged that is difficult to detect. Instead of using common malware, hackers are now weaponizing legitimate remote management tools. These tools help companies manage their computer systems, but attackers use them to stay hidden. This campaign, called VENOMOUS#HELPER, has attacked over 80 organizations worldwide. Most victims are in the US, but some are in Europe and Latin America. The hackers use these trusted tools because they blend into normal computer activities. This makes it hard for security systems to notice the malicious actions. As a result, cybercriminals can control infected computers for a long time without being caught. Experts say this trend shows how cybercriminals are shifting toward using software that appears safe. This shift makes cybersecurity more challenging, especially for organizations that rely heavily on remote management tools.
Stealthy Campaign Starts With Fake Emails and Fake Websites
The attack begins with a convincing phishing email, pretending to be from the Social Security Administration (SSA). The email informs the recipient about a new statement and asks them to click a link. When clicked, the link takes the user to a fake SSA website. This site looks real, but it secretly downloads a malicious file. Once downloaded, the file installs two remote tools—SimpleHelp and ScreenConnect—on the victim’s computer. These tools let hackers run commands, monitor activity, and control the system remotely. Meanwhile, they continue working quietly in the background, checking network status and user behavior. Experts warn that these attacks target people interested in social security or personal financial info. They also suggest attackers might focus on employees who handle cryptocurrencies or sensitive data. To defend against such threats, organizations need to educate employees about phishing and improve monitoring tools. Good security measures can help catch these kinds of sophisticated attacks early.
Discover More Technology Insights
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Access comprehensive resources on technology by visiting Wikipedia.
CyberRisk-V1
