A live phishing campaign is impersonating support techs to drop remote access tools on your machines. Here's the one rule that stops it cold.
A campaign researchers have named VENOMOUS#HELPER has hit more than 80 organizations — mostly in the U.S. — by doing something simple and devastating: pretending to be a government agency, getting someone to click a link, and then quietly installing two separate remote access tools on the victim's machine. Not one. Two. A redundant backdoor, so that if you catch one, the attacker still has the other.
The tools they deployed — ScreenConnect and SimpleHelp — are the exact same software that legitimate IT providers use every day to help clients. The software itself is clean. There's nothing in it that an antivirus will flag. That's the point. The attack doesn't rely on malware in the traditional sense. It relies on trust.
The phishing email impersonated the U.S. Social Security Administration. Recipients were told to verify their email address and download a document. The link pointed to a legitimate-but-compromised business website — so it passed spam filters. The "document" launched a silent installer that dropped SimpleHelp first, giving the attacker a command-and-control channel to run scripts and commands. Then ScreenConnect was deployed on top, giving the attacker full interactive desktop control.
From the attacker's side, this looks like a normal IT session. From the victim's side, nothing looks wrong at all — the tools are real, the connections are authenticated, and the software runs quietly in the background. The organization might not discover the access for weeks.
The reason this campaign is effective has nothing to do with technical sophistication. It works because most people don't have a clear mental model of what legitimate IT support actually looks like. They know their IT person uses remote tools. They know those tools look like this. So when someone installs ScreenConnect, it feels familiar — even when the person who triggered the install was an attacker pretending to be a government agency.
Antivirus won't stop this. The software is signed, legitimate, and widely deployed. Firewalls won't stop it. The connections go out over standard HTTPS to known cloud endpoints. The only defense is knowing the rule — and having everyone in your organization know it too.
"The attack doesn't use malware. It uses trust. And trust is something you have to train, not patch."
Here's how remote support is supposed to work: you have a problem, you call your IT provider, they reach out to start a session. That's the sequence. You initiate. They respond.
If the order is ever reversed — if someone you didn't call contacts you and asks you to install software, click a link, or grant remote access — that's not IT support. It doesn't matter if they say they're from Microsoft, the Social Security Administration, your internet provider, or even your own IT company. The answer is the same: hang up, and call your IT contact back on a phone number you already have on file.
At WCW, we don't cold-call clients to ask them to install anything. When we're starting a remote session, you'll know it's coming because you called us first. If you ever get a call, email, or pop-up that claims to be us and asks you to install software or grant access — it isn't us. Call us directly and we'll confirm.
Here's the part that most people skip over, because it requires a small amount of friction and nobody likes friction: your daily work account should not have local administrator rights.
When you run your normal workday as a local admin, any software that runs in your session inherits those rights. That means if you accidentally click a malicious installer, the software can do anything — install services, modify system files, turn off security software, create new accounts. It runs with the same permissions as you, and you have full control of the machine.
When you remove admin rights from the daily account and use a separate admin credential only when needed, that attack surface collapses. The VENOMOUS#HELPER installer drops silently because it can. On a standard user account, it would either fail or prompt for credentials — giving you a moment to realize something is wrong.
This is one of the most effective security measures available to any organization, and it costs nothing. It does require a brief conversation with whoever manages your machines — and some willingness to type in a second password when installing legitimate software. That friction is exactly the point. If something is trying to install itself without prompting for credentials, you want to know about it.
For businesses running Windows environments, this is a Group Policy setting. For individual machines, it's a few clicks in User Accounts. For a church or small office that hasn't had an IT review in a while, this is one of the first things we look at.
You don't need to overhaul anything to be protected from this specific attack. You need two things: a clear rule, and everyone who uses a computer in your organization to understand it.
The VENOMOUS#HELPER campaign is categorized as a financially motivated initial access operation — meaning the goal is to establish a foothold and sell it, or to stage a ransomware deployment later. Organizations that get hit often don't know it for weeks. By the time they notice, the attacker has had time to map the network, harvest credentials, and prepare whatever comes next.
The attack chain here is worth understanding alongside the broader trend of devices being turned into persistent access infrastructure — the end goal is always the same. Get in, stay in, act later. The only difference is the entry point.
If you're not sure whether your staff knows the rule, that's a conversation worth having before you need to have it.
WCW works with small businesses and churches across Southwest Ohio. We establish clear support processes from day one — so your team always knows what a legitimate session looks like, and what it doesn't.
📅 Book a Free Consultation Get in Touch