Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools

Securonix researchers have identified an active phishing campaign named VENOMOUS#HELPER that has compromised more than 80 organizations since April 2025. The threat actors use phishing emails to trick targets into installing legitimate Remote Monitoring and Management (RMM) software, specifically SimpleHelp and ScreenConnect, as a vehicle for persistent remote access.

The campaign primarily targets U.S.-based organizations. Once victims install the RMM tools through deceptive phishing messages, attackers gain the ability to remotely access and control compromised systems. This approach leverages the trust users place in legitimate software, making detection harder than traditional malware-based attacks.

RMM tools like SimpleHelp and ScreenConnect are designed for IT administrators to manage networks remotely. When installed through social engineering rather than legitimate IT processes, these tools become effective backdoors. Attackers can execute commands, exfiltrate data, and maintain access without raising suspicion from basic security tools that recognize RMM software as legitimate.

The phishing vectors used in VENOMOUS#HELPER remain active. Organizations across multiple sectors have fallen victim, though specific industry verticals have not been disclosed. The campaign demonstrates a shift in attacker tactics. Rather than deploying custom malware that antivirus solutions might catch, threat actors abuse widely-used administrative tools that security systems typically whitelist.

Securonix notes the activity shares behavioral overlaps with other known threat clusters, suggesting possible connections to tracked adversary groups, though specific attribution remains unclear.

Organizations should implement email filtering to block suspicious attachment-based phishing attempts and ensure employees receive security awareness training focused on social engineering tactics. IT teams should also monitor for unexpected RMM tool installations on endpoints and restrict which users can install remote access software. Implementing application whitelisting and endpoint detection and response (EDR) solutions helps identify anomalous