What Happened
Securonix researchers have published details on an active phishing campaign, VENOMOUS#HELPER, that has compromised over 80 organizations — primarily in the United States — by abusing legitimate remote monitoring and management software as the persistence mechanism. The campaign has been active since at least April 2025.
The attack begins with a phishing email impersonating the U.S. Social Security Administration (SSA). Recipients are instructed to verify their email address and download what appears to be an official SSA statement. The link redirects through a legitimate but compromised Mexican business website — a deliberate technique to defeat email security filters that block overtly suspicious domains. The final download is an installer for SimpleHelp, a legitimate RMM tool, which is deployed with attacker-controlled configuration pointing to attacker-managed infrastructure.
Once installed by the unsuspecting victim, SimpleHelp establishes a persistent remote access channel indistinguishable from legitimate IT administration activity. In some observed cases, ScreenConnect was deployed as a secondary access tool. Securonix assesses the campaign as consistent with either an Initial Access Broker (IAB) selling access to other threat actors, or a ransomware precursor operation conducting reconnaissance before payload deployment.
The campaign is notable because it weaponizes tools that are already commonly deployed in enterprise environments. Security products trained to detect malware binaries do not flag SimpleHelp or ScreenConnect as threats — both are legitimate and widely used by IT teams in Canada and globally.
Why This Matters for Canadian Organizations
SimpleHelp is heavily used by Canadian managed service providers, internal IT departments, and remote support teams. It previously appeared in the CISA Known Exploited Vulnerabilities catalog in late April 2026 when CVE-2024-57726 (CVSS 9.9) was linked to DragonForce ransomware precursor activity. The VENOMOUS#HELPER campaign represents a distinct but parallel abuse: rather than exploiting a vulnerability in SimpleHelp itself, attackers are deploying a clean, legitimate version of the tool as a stealthy backdoor.
Canadian organizations that block known malware but do not control which RMM tools are permitted to run on endpoints are exposed to this attack class. If an employee installs SimpleHelp or ScreenConnect after receiving a convincing phishing email, the attacker gains a persistent foothold with no malware to detect. This is particularly relevant for organizations that allow employees to install software without IT approval — a common gap in mid-sized Canadian businesses and public sector bodies.
Under OSFI Guideline B-13 for federally regulated financial institutions, and under broader PIPEDA accountability obligations, organizations are expected to maintain visibility into remote access tools operating on their networks. An uncontrolled RMM installation represents a gap in that accountability chain.
What to Do
Audit your environment for unauthorized SimpleHelp and ScreenConnect installations. Establish an allowlist of approved RMM tools and their permitted server endpoints — any RMM connection to an unrecognized server should alert your SOC. Train staff to treat SSA and government communications that link to software downloads as high-suspicion, and report rather than install. If you find an unexpected SimpleHelp or ScreenConnect installation, treat it as a full incident response scenario: assume the attacker has had persistent access since installation and has conducted reconnaissance.
Full campaign details are available via The Hacker News.
