Attackers Extract Microsoft Edge Passwords From Memory Using Legitimate Remote Access Tools

An attacker who has administrative-level access can retrieve Microsoft Edge users’ saved passwords from memory, even when those credentials are not actively being used. This is possible because the browser temporarily keeps them in an unencrypted form in its process memory as part of how it is designed.

According to a new report from Securonix, the Venomous#Helper operation is an ongoing phishing campaign active since at least April 2025, which targets dozens of organizations (mainly in the U.S.) across different sectors. Its goal is to gain long-term unauthorized access to systems.

Attackers abuse legitimate RMM tools to evade detection

The attackers rely on legitimate remote management software (SimpleHelp and ScreenConnect). These tools are trusted and often allowed in corporate environments, which helps attackers avoid detection. Moreover, the attack typically begins with emails impersonating trusted organizations. Victims are tricked into clicking a link and downloading what appears to be a legitimate document.

Victims are redirected through compromised websites and eventually download a malicious executable disguised as a document. The file is often digitally signed, which reduces suspicion and increases the likelihood that users will run it. Once executed, the software installs itself as a system service and ensures it remains active even after reboots. Attackers use mechanisms like watchdog processes and registry changes to maintain persistence.

Specifically, hackers use two separate remote access tools simultaneously. This creates redundancy; if one access channel is discovered or blocked, the other can still provide control. The installed tools allow attackers to observe system activity, check security software status, and interact with the system at high privilege levels. This enables further actions such as lateral movement or data access.

Security recommendations to mitigate the threat

Organizations should strengthen controls around the use of remote management tools and monitor them as high‑risk applications. Since attackers in this campaign rely on legitimate software to blend in, security teams should restrict which RMM tools are allowed, enforce strict installation policies, and continuously track their activity for unusual behavior. It’s also important to enhance email security, filtering suspicious links and training employees to recognize phishing attempts to reduce the likelihood of initial compromise.

Additionally, defenders should focus on detection and response capabilities by monitoring system changes, persistence mechanisms, and abnormal privilege usage. Moreover, network segmentation, regular system audits, and endpoint detection tools can help identify unauthorized access early.