Phishing Campaign Exploits RMM Tools to Target Organizations

Severity: High (Score: 71.0)

Sources: www.cybersecuritydive.com, Darkreading, www.securonix.com

Summary

A phishing campaign known as VENOMOUS#HELPER has affected over 80 organizations, primarily in the US, Western Europe, and Latin America. Attackers are utilizing legitimate remote monitoring and management (RMM) tools, specifically SimpleHelp and ScreenConnect, to maintain persistent access to compromised systems. The campaign has been active since at least April 2025, employing phishing emails that impersonate the US Social Security Administration to lure victims into downloading malicious executables. These tools allow attackers to blend their activities with normal operations, making detection difficult. The use of RMM tools for attacks has surged, with a reported 277% increase in misuse in 2025. Federal officials warn that similar techniques could target sensitive national security systems. The NSA has released guidance to help protect federal workers from these threats. The ongoing nature of the campaign indicates a significant risk to organizations across various sectors. Key Points: • Over 80 organizations have been impacted by the VENOMOUS#HELPER phishing campaign. • Attackers are using legitimate RMM tools like SimpleHelp and ScreenConnect to evade detection. • The campaign has been active since at least April 2025, with a significant increase in RMM tool misuse.

Key Entities

• Phishing (attack_type)
• Ransomware (attack_type)
• Venomous#helper (campaign)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• AnyDesk (tool)
• ConnectWise Control (tool)
• ScreenConnect (tool)
• SimpleHelp (tool)