VENOMOUS#HELPER: RMM Phishing Campaign Hits Banks and Gov

Severity: CRITICAL

The Threat

An active, large-scale phishing campaign tracked as VENOMOUS#HELPER is actively exploiting legitimate Remote Monitoring and Management (RMM) tools - specifically SimpleHelp and ScreenConnect - to silently establish persistent remote access inside compromised networks. The campaign has been running since at least April 2025 and has already confirmed breaches at over 80 organizations globally.

What makes this attack uniquely dangerous is its use of trusted, whitelisted software. Because SimpleHelp and ScreenConnect are legitimate IT administration tools widely deployed by managed service providers (MSPs) and enterprise IT teams, traditional antivirus and endpoint detection tools frequently fail to flag the intrusion. Attackers gain a persistent foothold that can survive reboots, password resets, and even partial incident response efforts.

East African organizations that rely on third-party IT support, outsourced helpdesk services, or cloud-managed infrastructure are the highest-risk targets in this region.

Impact Assessment for East Africa

This campaign is a direct threat to the sectors DRONGO monitors most closely across Kenya, Somalia, Ethiopia, and the broader Horn of Africa.

• Banking and Financial Services: Kenyan commercial banks and SACCOs that use RMM tools for branch IT support are prime targets. A persistent attacker inside a bank network can intercept SWIFT transactions, exfiltrate customer data, and trigger CBK-reportable data breach events under the Kenya Data Protection Act 2019.
• Government and GovTech: National ID systems, tax authority portals (e.g., KRA iTax, Ethiopia's ERCA), and e-government platforms that outsource IT maintenance are exposed. A compromised RMM agent gives attackers administrator-level access equivalent to a rogue insider.
• Telecoms and Critical Infrastructure: MSPs supporting telecom operators across Uganda, Tanzania, and Rwanda may serve as the initial entry point, with lateral movement spreading to downstream clients - a classic supply chain attack pattern.
• Healthcare: Hospitals and insurance providers using shared IT support services face patient data exposure, risking regulatory penalties and operational disruption.

The reputational and regulatory cost of a confirmed breach via this vector is severe. Under CBK Cybersecurity Guidelines and the Kenya DPA 2019, organizations face mandatory breach notification obligations and potential fines. In Ethiopia, the Computer Crime Proclamation No. 958/2016 creates additional legal exposure for institutions that fail to prevent unauthorized system access.

Immediate Actions - Do These Now

• Audit all RMM tools installed on your network immediately. Produce a complete inventory of every instance of SimpleHelp, ScreenConnect, AnyDesk, TeamViewer, and similar tools. Any unrecognized or unauthorized installation is a confirmed incident - escalate immediately.
• Enforce application allowlisting and RMM access controls. RMM tools should only be executable by named, verified accounts. Disable or uninstall any instance that cannot be traced to an approved vendor or IT workflow. Block unauthorized RMM binaries at the endpoint level.
• Review and restrict your MSP and third-party IT vendor access. Audit what remote access rights your IT vendors currently hold. Implement just-in-time (JIT) access - vendors should have access only during approved maintenance windows, not persistent always-on connections.
• Deploy behavioral detection rules in your SIEM/EDR. Standard signature-based AV will not catch this. Configure your security tooling to alert on anomalous RMM session behavior - specifically sessions initiated outside business hours, from unfamiliar IP ranges, or by accounts with no prior RMM activity.
• Run targeted phishing simulations focused on IT helpdesk impersonation. VENOMOUS#HELPER uses phishing emails that impersonate IT support and helpdesk requests. Test whether your staff - especially finance, HR, and executive assistants - can identify these lures before a real attacker does.

DRONGO Recommendation

DRONGO's SOC team actively monitors for VENOMOUS#HELPER indicators of compromise (IoCs) across client environments in Kenya, Somalia, and Ethiopia. If your organization uses any RMM tooling or relies on third-party IT support, a targeted threat hunt and RMM access audit should be your immediate next step. Our team can complete this assessment within 48 hours.

Is your organization protected? Request a free security assessment.