Hey,

Quick midweek edition because this one’s worth interrupting your inbox for.

Researchers at Securonix just went public on a campaign called VENOMOUS#HELPER. Best name in security all year. Terrible news if you run an MSP or any kind of remote support.

Here’s the gist. Someone gets a phishing email pretending to be from the Social Security Administration. Click the link, “verify your email,” download your “SSA statement.” So far, so 2014.

Except the payload isn’t ransomware. It isn’t a credential stealer. It’s two legitimate, fully-signed RMM clients — SimpleHelp 5.0.1 and ScreenConnect — installed silently and pointed at attacker-controlled relays.

Yes. The same software you probably have deployed across your fleet right now is being used as malware-as-a-feature.

A few details that should ruin your morning:

The SimpleHelp binaries are signed by Thawte. The ScreenConnect ones by ConnectWise. Authenticode-valid. Your AV is going to take one look at those signatures and wave them right through.

It installs as a Windows service that survives Safe Mode boots. Removing it isn’t a “boot to safe mode and clean up” job.

It runs two RMMs at once on purpose. If you find one and remove it, the other channel’s still live. Redundant persistence, by design.

It polls every 67 seconds to check the host’s security posture, and every 23 seconds to see whether anyone’s actively at the machine. That second one is the giveaway — it’s looking for analysts. If you’re staring at the screen, it knows.

Securonix says 80+ organizations have been hit since at least April 2025, predominantly in the US. That’s a year of dwell time on the public count. The actual number is whatever’s behind that.

What to actually do about it:

Inventory which RMM tools your environment is supposed to be running. If you don’t deploy SimpleHelp, any SimpleHelp service on a host is now an indicator of compromise. Same logic for ScreenConnect, TeamViewer, AnyDesk, Atera, NinjaOne, and friends.

Block outbound to RMM relay infrastructure you don’t own. Most of these tools have well-known cloud endpoints. If your SimpleHelp instance is self-hosted, only your relay should be reachable from inside the network.

Actually look at scheduled tasks, services, and Safe Mode boot configs on a few endpoints this week. Not because it’s fun. Because the install path here is the kind of thing nobody checks until someone gets paged at 2am.

Forward the SSA-themed phish to your end users. People will fall for “your benefits statement is ready” much harder than for “your invoice is attached.”

Full Securonix writeup: https://www.securonix.com/blog/venomous-helper-phishing-campaign

Shorter Hacker News version: https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html

A small note before you go.

I’m building Shell Samurai — a hands-on Linux training app for IT support folks who want to grow into sysadmin and DevOps work. SSH into a real training box, clear small missions, build the muscle memory for the commands that show up in actual jobs. Chapter 1 is free.

Honestly, the reason I keep building it is stories like this VENOMOUS#HELPER one. The people who catch weird services, weird scheduled tasks, weird boot behavior aren’t the ones who memorized definitions for a cert exam. They’re the ones whose hands move on a terminal without thinking. You build that by doing reps, not by reading.

If you’ve been meaning to get serious about Linux: shellsamurai.com

Catch you Friday for the regular roundup.

— Stetson

Keep Reading

© 2026 This is an IT Support Group.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv