Back to Intelligence

VENOMOUS#HELPER: Detecting and Mitigating SimpleHelp and ScreenConnect RMM Abuse

SA
Security Arsenal Team
May 4, 2026
7 min read

Introduction

Security operations teams must remain vigilant regarding VENOMOUS#HELPER, an active social engineering campaign identified by Securonix impacting over 80 organizations, predominantly within the United States. This campaign does not rely on a zero-day exploit in the software itself; rather, it weaponizes legitimate Remote Monitoring and Management (RMM) tools—specifically SimpleHelp and ConnectWise ScreenConnect—to establish persistent, unauthorized remote access.

The threat actors deceive end-users into installing these legitimate tools, effectively bypassing traditional security controls that whitelist signed binaries. Once installed, the attackers have full control over the host, enabling data theft, ransomware deployment, or lateral movement. Given the stealthy nature of "Living off the Land" (LotL) tactics using trusted software, detection requires a shift from simply monitoring for malware to monitoring for abuse of administrative tools.

Technical Analysis

Affected Products and Vectors

  • SimpleHelp: A remote support and access tool often used by MSPs. In this campaign, the binaries are signed and legitimate, but the installation context is malicious.
  • ConnectWise ScreenConnect: A widely used remote access software. Attackers are deploying portable or customized versions that callback to actor-controlled infrastructure.

Attack Chain

  1. Initial Access: Social engineering (phishing or vishing) convinces a user to download and execute an installer. This is often masked as a software update, a invoice, or a required support utility.
  2. Execution: The user executes the RMM installer. Since the binaries are digitally signed by the legitimate vendor, no security warnings are triggered, and Smart App Control/SmartScreen may allow execution.
  3. Persistence: The RMM agent installs as a service or startup item, establishing a reverse connection to the attacker's command-and-control (C2) server.
  4. Command and Control: The attacker utilizes the standard GUI or CLI of the RMM tool to interact with the victim machine (file transfer, shell access, system modification).

Exploitation Status

  • Active Exploitation: Confirmed in-the-wild (ITW) against >80 organizations since April 2025.
  • Method: Abuse of legitimate functionality (No CVE required for the software itself, as the vulnerability lies in the user trust chain).

Detection & Response

SIGMA Rules

YAML
---
title: Potential RMM Tool Installation from User Directory
id: 8c4e2a10-5b6f-4a3d-9e1f-2c5d6e7f8a9b
status: experimental
description: Detects the execution or installation of SimpleHelp or ScreenConnect binaries from user-writable directories (Downloads, Temp, AppData), indicative of phishing drops rather than centralized IT deployment.
references:
  - https://securonix.com/blog/venomous-helper
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1190
  - attack.persistence
  - attack.t1543.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - 'Simple.Support.Client.exe'
      - 'ScreenConnect.ClientService.exe'
      - 'RemoteSupport.exe'
      - 'ConnectWiseControl.Client.exe'
  filter_legit_paths:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection and not filter_legit_paths
falsepositives:
  - Legitimate support staff installing tools from a local folder for ad-hoc support (rare in managed environments)
level: high
---
title: RMM Tool Spawning Shell
id: 3d1f9c84-b7e4-4f2a-8a5d-9e0c1f2a3b4c
status: experimental
description: Detects SimpleHelp or ScreenConnect processes spawning cmd.exe, powershell, or bash. This is often indicative of post-exploitation activity rather than standard remote desktop usage.
references:
  - https://securonix.com/blog/venomous-helper
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - 'SimpleHelp'
      - 'ScreenConnect'
      - 'ConnectWiseControl'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Administrators using the RMM tool "Run as" feature or command prompt access for legitimate troubleshooting.
level: medium
---
title: Suspicious Network Connection by RMM Process
id: a2b4c6d8-1e3f-4a5b-8c7d-9e0f1a2b3c4d
status: experimental
description: Detects SimpleHelp or ScreenConnect processes establishing connections to non-standard ports or external IPs not associated with known corporate RMM infrastructure.
references:
  - https://securonix.com/blog/venomous-helper
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|contains:
      - 'SimpleHelp'
      - 'ScreenConnect'
      - 'ConnectWiseControl'
  filter_localhost:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
      - '127.'
      - '::1'
  condition: selection and not filter_localhost
falsepositives:
  - Connections to legitimate vendor cloud infrastructure or approved MSP servers.
level: low

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for RMM tools spawning shells or running from suspicious paths
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("Simple.Support.Client", "ScreenConnect.ClientService", "ConnectWiseControl.Client")
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessFileName, ProcessCommandLine
| extend AlertContext = "RMM tool spawning shell"

// Hunt for RMM binaries executed from User directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("Simple.Support.Client.exe", "ScreenConnect.ClientService.exe", "RemoteSupport.exe")
| where FolderPath !contains "Program Files" and FolderPath !contains "Windows"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine
| extend AlertContext = "RMM binary from non-standard path"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for SimpleHelp and ScreenConnect persistence and execution
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Exe, 
  Username, 
  CreateTime
FROM pslist()
WHERE Name =~ "SimpleHelp" 
   OR Name =~ "ScreenConnect" 
   OR Name =~ "ConnectWiseControl"

-- Hunt for RMM files in User profiles (Sign of phishing drop)
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="/*/Users/*/*/Simple*", "/Users/*/AppData/Local/Temp/*ScreenConnect*", "/Users/*/Downloads/*Remote*.exe")
WHERE NOT FullPath =~ "Program Files"

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Detect and Remediate unauthorized SimpleHelp and ScreenConnect instances.
.DESCRIPTION
    This script scans for running processes and service installations 
    of SimpleHelp and ScreenConnect. It checks if they are running from 
    trusted Program Files paths and helps terminate suspicious instances.
#>

Write-Host "Starting VENOMOUS#HELPER Remediation Check..." -ForegroundColor Cyan

$rmmProcesses = @("Simple.Support.Client", "ScreenConnect.ClientService", "ConnectWiseControl.Client")
$suspiciousActivity = $false

foreach ($proc in Get-Process | Where-Object { $rmmProcesses -contains $_.Name }) {
    $path = $proc.Path
    Write-Host "Found process: $($proc.Name) (PID: $($proc.Id)) at $path" -ForegroundColor Yellow
    
    # Check if running from standard Program Files location
    if ($path -notmatch "^C:\\Program Files" -and $path -notmatch "^C:\\Windows") {
        Write-Host "[!] ALERT: Process running from non-standard path. Likely malicious drop." -ForegroundColor Red
        $suspiciousActivity = $true
        
        # Attempt to kill process
        try {
            Stop-Process -Id $proc.Id -Force -ErrorAction Stop
            Write-Host "[+] Terminated process $($proc.Id)" -ForegroundColor Green
        } catch {
            Write-Host "[-] Failed to terminate process $($proc.Id): $_" -ForegroundColor Red
        }
    }
}

# Check Services
Write-Host "`nChecking Services..." -ForegroundColor Cyan
Get-WmiObject Win32_Service | Where-Object { 
    $_.Name -like "*SimpleHelp*" -or 
    $_.Name -like "*ScreenConnect*" -or 
    $_.Name -like "*ConnectWise*" 
} | ForEach-Object {
    $servicePath = $_.PathName
    Write-Host "Found Service: $($_.Name) - $servicePath" -ForegroundColor Yellow
    
    if ($servicePath -notmatch "Program Files") {
        Write-Host "[!] ALERT: Service running from non-standard path." -ForegroundColor Red
        # Optional: Stop-Service -Name $_.Name -Force
    }
}

if (-not $suspiciousActivity) {
    Write-Host "No obvious RMM abuse detected on this host." -ForegroundColor Green
}

Remediation

Immediate action is required to neutralize the persistence mechanisms established by VENOMOUS#HELPER.

  1. Identify and Quarantine: Isolate affected hosts identified by the detection rules above immediately to prevent lateral movement.
  2. Terminate and Remove:
    • Kill the RMM processes (SimpleHelp, ScreenConnect).
    • Uninstall the application via standard Windows methods (wmic product where name... or Control Panel) if installed legitimately but compromised.
    • If installed via a portable/dropped executable in User directories, delete the binary and remove associated startup registry keys (e.g., Run and RunOnce keys).
  3. Verify Integrity: Since the attackers had full access, assume credentials were compromised. Force a password reset for all users on the affected machine and rotate service account credentials used on that endpoint.
  4. Policy Enforcement (Long-term):
    • Application Control: Implement AppLocker or Windows Defender Application Control (WDAC) policies to block the execution of SimpleHelp and ScreenConnect binaries unless they are signed by the vendor and originate from a specific, approved directory (e.g., C:\Program Files\SimpleHelp).
    • Network Segmentation: Restrict outbound internet access for endpoints. Only allow RMM tools to communicate with known, whitelisted IP addresses belonging to your MSP or internal RMM gateway.
  5. User Awareness: Reinforce training regarding social engineering. Users should never install "remote support" software unless initiated by a known, verified support ticket from your internal IT team or trusted MSP.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemrmm-abusesocial-engineeringscreenconnect

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action