Summary

An ongoing phishing campaign, named VENOMOUS#HELPER, has been targeting over 80 organizations since April 2025. The campaign utilizes legitimate Remote Monitoring and Management (RMM) tools to gain persistent remote access to compromised systems.

Key Points

• The phishing campaign has been active since at least April 2025.
• It has impacted over 80 organizations, primarily located in the United States.
• The campaign uses legitimate RMM software, including SimpleHelp and ScreenConnect, to establish remote access.
• The activity has been tracked and reported by Securonix.

Analysis

The VENOMOUS#HELPER campaign highlights the growing trend of cybercriminals leveraging legitimate software tools to conduct malicious activities. By using RMM tools like SimpleHelp and ScreenConnect, attackers can maintain persistent access to compromised systems, making detection and mitigation more challenging. This underscores the importance of monitoring for unusual activity even when using trusted software.

Conclusion

IT professionals should enhance monitoring of RMM tool usage within their networks and ensure that access controls are robust. Regularly updating security protocols and conducting phishing awareness training can help mitigate the risks posed by such sophisticated campaigns.