Phishing Campaign Leverages SimpleHelp, ScreenConnect RMM to Hit 80+ Orgs
An active phishing campaign, codenamed VENOMOUS#HELPER, has been observed since at least April 2025, according to The Hacker News. This operation targets organizations by leveraging legitimate Remote Monitoring and Management (RMM) software, specifically SimpleHelp and ScreenConnect, to establish persistent remote access on compromised systems.
The Hacker News reports that over 80 organizations have been impacted, with the majority located in the U.S. The use of trusted RMM tools is a classic attacker move: it blends in, making detection harder. This isn’t about exploiting a vulnerability in the RMM itself, but rather tricking users into installing or approving legitimate software that then becomes an adversary’s foothold.
This campaign underscores a critical blind spot for many defenders. It’s not always about zero-days; often, it’s about weaponizing legitimate tools through social engineering. Attackers aren’t just looking for a way in; they’re looking for a way to stay in, unnoticed, and RMM tools fit that bill perfectly by providing a backdoor that looks like business as usual.
What This Means For You
- If your organization uses SimpleHelp or ScreenConnect, you need to audit access logs immediately for any unauthorized connections or suspicious installations. Implement strict MFA for all RMM access and ensure your phishing awareness training specifically covers social engineering tactics that trick users into installing legitimate remote access software. This isn't a vulnerability to patch; it's a TTP to detect.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| VENOMOUS#HELPER | Phishing | Active phishing campaign targeting organizations since April 2025 |
| VENOMOUS#HELPER | Initial Access | Use of legitimate SimpleHelp RMM software for remote access |
| VENOMOUS#HELPER | Initial Access | Use of legitimate ScreenConnect RMM software for remote access |
Written by SCW Vulnerability Desk
Related coverage on
Cisco Acquires Astrix Security to Secure Non-Human Identities
Cisco has announced its intent to acquire Astrix Security, a startup specializing in the security of non-human identities (NHIs). These include critical elements like API...
Forbes Agrees to $10 Million Settlement in Wiretapping Lawsuit
Forbes has preliminarily agreed to a $10 million settlement in a California wiretapping lawsuit, as reported by The Record by Recorded Future. The class-action suit...
AI Phishing, Android Spyware, Linux Exploit, GitHub RCE Headline Weekly Threats
This week's cybersecurity landscape highlights a critical shift from mere breaches to persistent occupation, according to The Hacker News. Attackers are leveraging advanced techniques, turning...