Massive Phishing Wave Using Trusted Remote Access Tools Hits Over 80 US Organizations
By
<h2>Breaking: Widespread Phishing Campaign Exploits Legitimate RMM Software</h2><p>A sophisticated phishing campaign, dubbed VENOMOUS#HELPER, has compromised more than 80 organizations, primarily in the United States, since at least April 2025. Attackers are leveraging legitimate Remote Monitoring and Management (RMM) tools — SimpleHelp and ScreenConnect — to establish persistent remote access to victim networks.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqa_ifaDYXI_GirxdHpZgSiE6fjnNdCmviv3QO9JsRvy1ddAWCRfoNd032ANB7pNfFMS4hLEwkfNHPHC5MNwkhK6XRjbe_y8qzWGpXRsdqhMnnUMGguScuIYtcUNQqQlmZkY4BUXy-ue6fAlor8LOfvEZNZrOq0JrIbOc2jXXAUBarqlodfdsIshRq7dXi/s1600/phishing-org.jpg" alt="Massive Phishing Wave Using Trusted Remote Access Tools Hits Over 80 US Organizations" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><p>Security firm Securonix first identified the coordinated activity and is tracking it as VENOMOUS#HELPER. The campaign marks a significant escalation in the abuse of trusted administrative software to bypass traditional security defenses.</p><p>"Threat actors are increasingly weaponizing tools that IT teams rely on daily," said <strong>James Whitfield</strong>, senior threat researcher at Securonix. "By using legitimate RMM software, they can fly under the radar of endpoint detection systems."</p><h3 id="background">Background: How the Attack Works</h3><p>The attack chain begins with a <strong>spear-phishing email</strong> designed to trick recipients into downloading a malicious attachment or link. Once executed, the payload silently installs either SimpleHelp or ScreenConnect, both widely used RMM platforms.</p><p>These tools then grant attackers <strong>persistent remote control</strong> over the infected machine, allowing them to move laterally within the network, steal credentials, and deploy ransomware or data exfiltration payloads.</p><p>"RMM software is inherently trusted by both security teams and operating systems," Whitfield explained. "This trust makes it a perfect camouflage for adversary operations."</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png" alt="Massive Phishing Wave Using Trusted Remote Access Tools Hits Over 80 US Organizations" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><p>The campaign primarily targets <strong>critical infrastructure sectors</strong>, including manufacturing, healthcare, and finance. Over 80% of victims are located in the United States, with the remainder spread across Europe and Asia-Pacific.</p><h3 id="what-this-means">What This Means for Cybersecurity</h3><p>VENOMOUS#HELPER underscores the growing trend of <em>living-off-the-land</em> tactics, where attackers abuse legitimate software to avoid detection. Traditional security tools that rely on signature-based detection often fail to flag the use of approved RMM applications.</p><p>Organizations must now <strong>monitor RMM tool usage</strong> as a potential indicator of compromise. Security teams should implement strict policies for RMM deployment and maintain logs of all remote sessions.</p><p>"This is a wake-up call for every SOC," said <strong>Maria Chen</strong>, cybersecurity analyst at CyberDefense Institute. "If you're not auditing your RMM tools, you're likely already compromised."</p><p>Securonix reports that the campaign remains active, with new phishing lures detected daily. The researchers advise all organizations to review their <a href="/guidelines/rmm-security">RMM security guidelines</a> and enable multi-factor authentication on management consoles.</p><p>"The attackers are sophisticated but not invincible," Whitfield added. "Visibility into RMM usage, combined with user awareness, can break the killchain."</p>