A phishing campaign tracked as VENOMOUS#HELPER has targeted over 80 organizations since April 2025, primarily in the US. Attackers impersonate the US Social Security Administration to trick users into downloading a malicious executable that installs two legitimate RMM tools — SimpleHelp and ScreenConnect — for persistent access. SimpleHelp is used for scripting, surveillance, and automated tasks, while ScreenConnect enables interactive desktop control. Using two tools provides redundancy if one is detected and removed. Securonix attributes the campaign to a financially motivated Initial Access Broker or ransomware precursor group. The campaign reflects a broader trend: Huntress reported a 277% year-over-year increase in RMM tool misuse in 2025. Defenders are advised to use application whitelisting, SIEM/EDR platforms, and network monitoring to detect unauthorized RMM installations.
Sort: