For over a year, a threat campaign quietly compromised more than 80 organizations by exploiting the same remote access tools that IT departments use every day — tools so routine that their network traffic is typically never inspected.
Using the Victim’s Own Tools Against Them
The campaign tracked as VENOMOUS#HELPER began in April 2025 and was still active as of reporting. It targeted organizations across multiple sectors and achieved persistent, long-term access through a simple but effective technique: deploying legitimate remote monitoring and management (RMM) software as its primary backdoor.
RMM tools like SimpleHelp and ScreenConnect — the two platforms specifically used in this campaign — are purpose-built for IT administrators to remotely manage endpoints, run diagnostic commands, deploy software, and troubleshoot issues. They provide the same capabilities an attacker wants from a custom implant: persistent remote access, file transfer, command execution, and session management. The critical difference is that these tools are commercially licensed, code-signed, trusted by endpoint security products, and generate traffic that looks identical to normal IT operations.
The entry point was phishing. Initial emails delivered malicious payloads that, once executed, downloaded and silently installed the RMM software. The victim’s organization gained what appeared to be another IT management agent on the endpoint — indistinguishable, at the network or process level, from an installation authorized by the IT team.
The “Living Off the Business” Evolution
Security practitioners have long used the term “living off the land” to describe attackers who avoid custom malware by using operating system tools like PowerShell, WMI, and certutil that are already present on target systems. The logic is the same here, but extended: rather than living off the OS, VENOMOUS#HELPER lives off the business itself — abusing the commercial software the organization has already purchased, licensed, and trusted.
This evolution creates a specific detection problem. Signature-based endpoint security tools identify threats based on known-malicious code patterns. A legitimate, signed SimpleHelp binary has no malicious signature. Behavioral detection tools that flag unusual processes can be tuned to exclude commonly trusted IT tools — which is precisely where this attack hides.
The campaign’s 13-month duration across 80+ organizations indicates that the approach worked. Extended dwell times of this kind suggest the attackers were not executing ransomware or conducting noisy data exfiltration. The more likely objective: establishing deep, stable access across a broad portfolio of organizations to be leveraged at a later time, or operating quietly to support espionage or intellectual property theft.
RMM Abuse Is Not New — But the Scale Is Growing
VENOMOUS#HELPER is not an isolated case. Remote access tools have been weaponized in some of the most damaging enterprise breaches of recent years. The Scattered Spider group used AnyDesk and other RMM tools in its 2023 attacks against MGM Resorts and Caesars Entertainment, resulting in hundreds of millions of dollars in damages. Black Basta ransomware affiliates routinely establish RMM-based persistence before deploying their encryptor. Multiple CISA and FBI advisories have specifically warned about the pattern of threat actors abusing commercially available remote access tools to evade detection.
What distinguishes VENOMOUS#HELPER is the apparent focus on persistence over 13 months rather than rapid monetization — suggesting a threat actor with different objectives than a typical ransomware affiliate, and potentially more concerning long-term implications for affected organizations.
Detecting VENOMOUS#HELPER When Legitimate RMM Traffic Provides Cover
The detection challenge is real but not insurmountable. The key is that while the tools look normal, their usage patterns often do not.
Legitimate IT RMM sessions have predictable characteristics: they originate from internal IT systems or known external management consoles, they occur during business hours or in response to tickets, they connect to specific managed endpoints, and they are authorized by documented IT processes. Attacker-controlled RMM sessions often connect from unexpected geographic locations, occur outside normal hours, operate on endpoints not registered in IT asset management systems, or communicate with cloud relay nodes that are not internal infrastructure.
Behavioral analytics and network visibility — specifically the ability to log and analyze RMM connection metadata — are the detection mechanism this threat requires. Organizations that have whitelisted RMM traffic at the firewall level without maintaining visibility into what that traffic is actually doing have a blind spot that campaigns like VENOMOUS#HELPER exploit.
Auditing RMM Tools to Uncover VENOMOUS#HELPER-Style Long-Term Persistence
Security teams should treat RMM software as a privileged tool class requiring the same controls applied to other privileged access mechanisms. Specific measures:
Maintain an authorized RMM inventory. Know exactly which RMM products are authorized, which systems they should run on, and which external management consoles they should communicate with. Anything outside that baseline is an anomaly worth investigating.
Alert on unexpected RMM installations. Endpoint detection tools should flag installation of RMM agents, particularly on endpoints that are not registered management targets and for installations originating from unusual parent processes.
Monitor RMM connection metadata. Log source IPs, destination endpoints, session timing, and data volumes for all RMM activity. A session originating from an unexpected country at 2 AM is not routine IT support.
Thirteen months is a long time to be inside an organization without detection. The infrastructure for preventing that outcome exists — the question is whether it is deployed and monitored.
