RMM Tools Fuel Stealthy Phishing Campaign
A phishing campaign, tracked as VENOMOUS#HELPER, has impacted over 80 organizations, primarily in the US, using two legitimate RMM tools, SimpleHelp and ScreenConnect, to maintain persistence on compromised systems. The campaign, active since April 2025, begins with a phishing email masquerading as a message from the US Social Security Administration.
Attackers are abusing two remote monitoring and management (RMM) tools to evade detection in a campaign that has impacted over 80 organizations. The VENOMOUS#HELPER campaign, active since April 2025, primarily targets organizations in the US, Western Europe, and Latin America. The campaign begins with a phishing email masquerading as a message from the US Social Security Administration, prompting recipients to download a malicious executable that installs SimpleHelp and ScreenConnect RMM tools. SimpleHelp is used for running scripts, commands, and surveillance, while ScreenConnect is used for interactive desktop control. The use of two RMM tools ensures persistence even if one is removed. The campaign is attributed to a financially motivated Initial Access Broker or ransomware precursor operation.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.