Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
Summary
An active phishing campaign, dubbed VENOMOUS#HELPER, has been targeting over 80 organizations, primarily in the U.S., since April 2025. The campaign exploits legitimate Remote Monitoring and Management (RMM) tools like SimpleHelp and ScreenConnect to gain persistent remote access to compromised systems.
IFF Assessment
This campaign leverages common RMM tools for malicious purposes, indicating a trend of attackers abusing legitimate software for unauthorized access.
Defender Context
Defenders should be aware of this campaign's tactics, which involve phishing and the abuse of RMM tools. Organizations using SimpleHelp or ScreenConnect should review their security configurations and user access controls. Vigilance against phishing attempts and thorough investigation of any suspicious activity related to RMM tools are crucial.