Legitimate remote monitoring tools are being weaponized by threat actors—and it's happening more than you think.
The VENOMOUS#HELPER campaign has impacted 80+ organizations by abusing SimpleHelp and ScreenConnect RMM platforms. What makes this particularly dangerous:
No traditional malware – attackers rely solely on legitimately signed RMM tools to evade detection
Dual persistence – using TWO RMM tools ensures backup access if one is discovered
277% YoY increase in RMM tool abuse while traditional hacking tool use dropped 53%
Blends with normal operations – RMM activity rarely triggers security alerts since IT teams use these tools daily
The attack starts with phishing emails impersonating the US Social Security Administration, targeting employees with access to sensitive systems or crypto assets.
What MSPs Need to Do Now
Implement application whitelisting to prevent unauthorized RMM installations
Enable detailed endpoint logging with strong SIEM/EDR monitoring
Foster "cyber paranoia" through security awareness training—especially for C-suite and non-technical staff
Monitor for unauthorized RMM tool installations across your client environments
As MSP professionals, we need to be vigilant about the very tools we trust. What controls do you have in place to prevent unauthorized RMM deployments?
#Cybersecurity #MSP #RMM #ThreatIntelligence #ITSecurity #PhishingAttack



