Machine-Speed Extortion: How Spider Groups and RMM Abuse Are Owning the Cloud

John Z Black May 4, 2026 Incidents & Breaches #RMM #SaaS #extortion #spider-groups #screenconnect #simplehelp #shinyhunters #adt #supply-chain

There is a shift happening in how serious threat actors operate. “Breaking in” is increasingly the wrong way to think about it. The groups making headlines right now are not forcing doors. They are being invited through them.

Take VENOMOUS#HELPER for example. This cluster has hit over 80 organizations by using modified versions of legitimate remote management tools like SimpleHelp and ScreenConnect. They customize the session to look exactly like a routine support call. The victim installs the software themselves, thinking they are letting their help desk in. It is almost elegant in how it sidesteps traditional defenses.

Then you have the Spider groups. Affiliated with the loosely connected e-crime network “The Com,” these actors use voice phishing to talk employees into handing over SSO credentials. Once they are in, they never touch your network. They live entirely in SaaS, like SharePoint and HubSpot. Your on-prem network monitoring sees absolutely nothing, because there is nothing on-prem to see.

Perimeter security assumes there is a perimeter worth defending. When the attack arrives as a legitimate-looking support session or an authorized SSO login, the perimeter is already behind you. The groups operating at this level are faster than most incident response timelines. They are usually done by the time your alerts fire.

See how to audit your RMM logs and close the identity gap