VENOMOUS#HELPER Phishing Campaign Abusing SimpleHelp and ScreenConnect RMM Tools
Active phishing campaign (VENOMOUS#HELPER) tricks users into installing legitimate RMM agents (SimpleHelp, ScreenConnect/ConnectWise Control) to gain persistent remote access, with 80+ organizations targeted since April 2025. Response requires identifying unauthorized RMM installs, terminating sessions, removing persistence, blocking attacker infrastructure, and rotating credentials on affected hosts.
Indicators
- Unexpected installation of SimpleHelp or ScreenConnect/ConnectWise Control agents on user endpoints
- Phishing emails luring users to install remote support software or visit fake IT support pages
- Outbound connections to unfamiliar SimpleHelp/ScreenConnect relay servers (ports 80/443/8040/8041)
- Remote sessions initiated outside business hours or from unexpected geographies
- New scheduled tasks, services, or Run keys associated with RMM binaries
- EDR alerts for legitimate-but-abused RMM tooling not part of approved baseline
Likely causes
- User executed a phishing-delivered installer for an attacker-controlled RMM agent
- No application allowlisting permitting unauthorized RMM software to install and run
- Insufficient email filtering for social engineering / fake IT support lures
- Standard users have local admin rights enabling silent software installation
- Absence of EDR detection rules covering dual-use RMM tooling
Diagnostic steps
-
Inventory all endpoints for installed RMM software using EDR queries or PowerShell: Get-CimInstance Win32_Product | Where-Object { $_.Name -match 'SimpleHelp|ScreenConnect|ConnectWise' }
-
Enumerate running services and scheduled tasks for RMM-related entries: Get-Service | findstr /i 'simplehelp screenconnect' and schtasks /query /fo LIST /v
-
Inspect firewall/proxy logs for outbound traffic to unknown SimpleHelp/ScreenConnect relay hosts on ports 80/443/8040/8041
-
Search email gateway logs for phishing messages delivering RMM installers, links to fake support pages, or .msi/.exe attachments
-
Check %ProgramData%, %AppData%, and Program Files directories for unauthorized RMM agent binaries and configuration files
-
Correlate authentication logs (AD, VPN, M365) and endpoint telemetry for lateral movement or follow-on activity after initial RMM session
-
Run Sysinternals Autoruns on suspect hosts to identify persistence mechanisms tied to the RMM agent
Resolution path
- Isolate affected endpoints from the network via EDR containment or VLAN quarantine
- Terminate active RMM sessions and uninstall unauthorized SimpleHelp/ScreenConnect agents
- Remove persistence: services, scheduled tasks, registry Run keys, and binaries created by the agent
- Reset credentials for all users who logged into compromised hosts and rotate any exposed secrets/tokens
- Block identified IOCs (domains, IPs, file hashes, RMM relay endpoints) at firewall, proxy, and EDR
- Conduct full malware sweep and forensic review for follow-on payloads (ransomware, info-stealers, C2)
- If lateral movement is confirmed, escalate to full incident response and consider DC/identity tier review
Prevention
- Implement application allowlisting (AppLocker, WDAC) to block unauthorized RMM tools
- Block known SimpleHelp/ScreenConnect/ConnectWise domains and IP ranges not used by the organization
- Deliver phishing-resistant user awareness training focused on fake IT support lures
- Deploy advanced email filtering with attachment sandboxing and URL rewriting/detonation
- Create EDR detections for installation or execution of any RMM software outside approved tooling
- Enforce least-privilege so standard users cannot install software
- Maintain an approved RMM baseline and alert on any deviation
Tools
- Microsoft Defender for Endpoint or equivalent EDR
- PowerShell (Get-CimInstance, Get-Service, schtasks)
- SIEM (Securonix, Sentinel, Splunk) for log correlation
- Email security gateway logs (Defender for Office 365, Mimecast, Proofpoint)
- Network firewall / proxy logs
- Sysinternals Autoruns and Process Explorer